Jump to content


Photo
* * * * - 4 votes

[PHP] - [Admin Control Panel w/ sessions] - [Gio]


  • Please log in to reply
29 replies to this topic

#1 Gio

Gio

    Jedi In Training

  • Members
  • PipPip
  • 317 posts

Posted 07 November 2004 - 07:46 PM

This tutorial will show you how to create a simple way to protect your admin control pages, using sql to store the users info to which you want to give access to. When the user tries to login to this admin panel the information they enter will be checked by your database and if it is correct it will redirect them to your index page, otherwise it will send them back to the login page! Ok enough talk, lets get the login form done!

Login.html
<form action="login.php" method="post">
<b>Username</b>:<input type="text" name="username" size="20"><br>
<b>Password</b>:<input type="password" name="pw" size="20"><br>
<input type="submit" value="Login"></form>

Simple enough, this gives inputs for a username, password, and the submit button, it then sends the info to login.php where the magic works!!!

Login.php
<?php
session_start();

include "connect.php";

$q="SELECT * from login where username='$username' and pw='$pw'";
$result= mysql_query($q, $connection) or die
("Could not execute query : $q." . mysql_error());

if (mysql_num_rows($result) == 0)
{

echo "<div align=center><b>Oops! Your login is wrong. Please click back and try again.</b></div>";

}
else
{
$r=mysql_fetch_array($result);
$login_username=$r["username"];
session_register("login_username");
Header("Location: protected.php");
}
?>

Ok so you use session_start(); which will create the session that you will store on the users computer, then you select all the information from the database and check for the information the user submitted. If it is wrong, an error message is echoed, you can change this to whatever you want it to say. So after that we have the else statement which is if the information is found then it redirects the user to the page you choose, in this case protected.php. This will be your admin page. Now to make a protected page!!

Protected.php
<?
session_start();
if($login_username=="") {
Header("Location: login.html");
} else {

<!-- rest of your HTML code here for protected pages -->
}

Ok so this code checks if the session is valid, and if not, it redirects the user to login.html. But if the information is true it shows the code you have for the admin page!


Basically I wrote this because alot of people were asking about user protected pages, and securing information from prying eyes. If you branch this off into other ideas you could come up with some real origional ideas. I hope you had fun with this one, because I know I sure did. Enjoy!

~Gio~

#2 Snudge

Snudge

    Jedi In Training

  • Members
  • PipPip
  • 350 posts
  • Location:Glasgow
  • Interests:Webdesign, Drawing, Woman , :D

Posted 07 November 2004 - 11:11 PM

Looks Good Gio Gj Man

Regards

Snudge :ph34r:

#3 Gio

Gio

    Jedi In Training

  • Members
  • PipPip
  • 317 posts

Posted 08 November 2004 - 03:20 PM

Thank you, I had not written a tutorial in awhile, so I decided it was about time to get one posted! Glad you enjoyed it.

#4 Apache

Apache

    P2L Jedi

  • Twodded Staff
  • PipPipPip
  • 778 posts
  • Location:London, UK

Posted 23 March 2005 - 06:17 PM

You could replace if (mysql_num_rows($result) == 0) with if(!$result).

Works just as well and saves some time :D

#5 FFX

FFX

    Young Padawan

  • Members
  • Pip
  • 105 posts

Posted 31 March 2005 - 12:55 PM

what about connect.php ?

because in login.php it says include connect.php

#6 jasperguy

jasperguy

    Young Padawan

  • Members
  • Pip
  • 1 posts

Posted 10 April 2005 - 07:56 PM

what about connect.php ?

because in login.php it says include connect.php

I need to know about this one too.

:P

#7 adam123

adam123

    Retired P2L Staff

  • Members
  • PipPipPipPip
  • 2,306 posts
  • Location:London, UK
  • Interests:Programming and stuff.

Posted 11 April 2005 - 11:24 AM

Now I don't actually know, but from the given code it will probably be:

<?php

$user = "mysqluser"; //Change to your mysql username
$pass = "pass"; //Change to your mysql pass
$host = "localhost"; //Almost always localhost, ask your hosting provider
$db = "dbname"; //Change to your db name

$connection = mysql_connect($host,$user,$pass) or die("Could not conn. because:<br />" . mysql_error());

mysql_select_db($db) or die("Cannot select database!" . mysql_error());
?>

That should work as the connect file.

#8 _*adrian_*

_*adrian_*
  • Guests

Posted 12 April 2005 - 12:22 PM

Thanks for this tutorial, its really useful, i am using it for a basic mysql news script. All my users each have a unique 'id' in the mysql table, when I post some news how would I determine the user id from the above script, and then write it as a variable or whatever.

-Adrian

#9 Epete05

Epete05

    Young Padawan

  • Members
  • Pip
  • 1 posts

Posted 15 April 2005 - 12:04 AM

Thanks for the great tutorial, however, isn't it a little unorthodox to store the admin's username in plain-text in the database? A simple crypt() in the validation code or a password() in the sql syntax would make things a bit more secure.

=)
Eric Peterson

#10 Jynxis

Jynxis

    Young Padawan

  • Members
  • Pip
  • 132 posts
  • Location:The Shadows

Posted 22 May 2005 - 03:03 AM

You JUST SAVED me a headache. THANK YOU.

I've been creating a portal site for this gaming clan im going to revive once this script is complete, and for some reason it would allow me to login but whenever i clicked the link again to goto my console page, it just has me login again.

Good to know i was only missing Session_register()... sumhow i thought i stuck it in there... guess not

#11 MalDON

MalDON

    Young Padawan

  • Members
  • Pip
  • 127 posts
  • Location:Southern California
  • Interests:DeviantART, PHP, Techno, Empire Earth 2, Halo 2

Posted 22 May 2005 - 11:29 AM

I would double check the sessions instead of jsut checking to see if they are empty. And if your are going to be running a site with multiple user ranks, I would also have it check each time to make sure that user is an admin.

#12 Jynxis

Jynxis

    Young Padawan

  • Members
  • Pip
  • 132 posts
  • Location:The Shadows

Posted 22 May 2005 - 12:20 PM

it only displays certain links if your of a certain rank... and it checks to see if your banned or not.

#13 binki39

binki39

    Young Padawan

  • Members
  • Pip
  • 1 posts

Posted 22 May 2005 - 11:29 PM

It is a nice script, but the login process can be easily passed if the user knows the location and name of the protected page. For example, in this case the protected page is named protected.php and lets say it's stored in the folder admin under your domain. So the file can be acessed at www.yourdomain.com/admin/protected.php, the code says that if the $login_username is empty then block the access. Basically, you can access the protected page by giving $login_username any value.

For example:
www.yourdomain.com/admin/protected.php?login_username=anythinghere

grants you access. However, I'm assuming too much here. Haha, that is only if the user knows the location and name of the protected page and the name of the variable that the function is checking.

#14 Jynxis

Jynxis

    Young Padawan

  • Members
  • Pip
  • 132 posts
  • Location:The Shadows

Posted 23 May 2005 - 11:37 PM

BUT... WUT IF THE LINKS are ONLY active IF the certain measures are met..?

#15 Timo™

Timo™

    Young Padawan

  • Members
  • Pip
  • 3 posts

Posted 27 May 2005 - 03:15 PM

what do we put into the sql data base ?

#16 fiv3isaliv3

fiv3isaliv3

    Young Padawan

  • Members
  • Pip
  • 258 posts
  • Gender:Male

Posted 27 May 2005 - 10:59 PM

id, username and password... what else would you put in it?

#17 MaRmAR

MaRmAR

    Young Padawan

  • Members
  • Pip
  • 18 posts
  • Location:Slovakia

Posted 29 May 2005 - 04:54 AM

Okey, Gio:
1) your MySQL query has bad syntax. Valid syntax of your query would be:
SELECT * FROM `login` WHERE ((username='$username') AND (pw='$pw'));
or even better by putting LIMIT at the end:
SELECT * FROM `login` WHERE ((username='$username') AND (pw='$pw')) LIMIT 1;

2) What about security? I know, this is just sample tutorial, but this is an admin sample, so it should be more secure. Try passing $username and $pw thru strip_tags() and mysql_escape_string() before you are calling mysql_query(). Just for case of some "hackers"... This would kill them. :D (i had self experienced 'hackers' and this saved me from headache; they did not break the login system)

3) In file protected.php youd should not use
if ($login_username=="") { ... }
but
if ($_SESSION["login_username"]=="") { ... }
- the first 'simple' case may not work on some servers which has register_globals turned off. (this problem i experienced about two weeks ago).
Hmm...wouldn't it work better using this
if (!isset($_SESSION["login_username"])) { ... }
? ... :D

#18 Jamie Huskisson

Jamie Huskisson

    Retired P2L Staff

  • Members
  • PipPipPipPip
  • 3,648 posts
  • Gender:Male
  • Location:Nottingham, UK

Posted 29 May 2005 - 11:14 AM

old gio has left us, he couldn't hack it anymore

but very valid points :P

#19 Hyprkookeez

Hyprkookeez

    Young Padawan

  • Members
  • Pip
  • 49 posts
  • Location:Edmonton AB CA
  • Interests:Photoshop, HTML

Posted 23 June 2005 - 06:06 PM

How would you end the session? Incase you wanted to log off?

#20 HaloprO

HaloprO

    Requires Armed Escort

  • Members
  • PipPip
  • 310 posts
  • Gender:Male
  • Location:California, USA

Posted 29 June 2005 - 01:42 AM

This looks like a very easy manipulated php script, It could be vulnerable to many security flaws, if you put up an example I could show you what I mean.
And to answer Hyprkookeez question, just make a logout.php and put this
<?php
session_start();
session_destroy();
header("Location: file.php");
?>

Edited by HaloprO, 29 June 2005 - 01:57 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users