TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Absolute Beginners (http://www.talkphp.com/absolute-beginners/)
-   -   made a login for admin (need help) (http://www.talkphp.com/absolute-beginners/2134-made-login-admin-need-help.html)

codefreek 01-29-2008 02:12 PM
made a login for admin (need help)
 
hello, as i am learning php i just work out of my ass sort of speek
so this is one try so please dont flame me or so on, and try to be as clear about the things you explain to me thank you.
PHP Code:
<?php
include 'config.php';

if(@$_POST['submit']=="log")
$ert mysql_query("SELECT * FROM `cms` WHERE `username`,`password`, `rank` = '0'");
while ($row mysql_fetch_array($ertMYSQL_NUM)) {
if($username == $row['username'] && $md5password == $row['password']){
                $_SESSION['loggedIn'] = true;

// check the rank
if $_session['loggedIn'] == true;
print "admin pannel open";
elseif $_SESSION['loggedIn'] == null;
print "Accses Denied";

if $ert "0";
print "Accses Denied";
elseif
$ert "1";
print "you have accses to admin";


<h2>Please log in:</h2>
<form method="post" action="<?php echo $PHP_SELF;?>">
Username: <input name="usernamn" type="text" value="" /><br />
Password: <input name="password" type="password" value="" /> 
          <input name="submit" type="submit" value="log" />



?>

The Question is, what have i done wrong?
and what should i fix.

ps, NO FLAME! please.

ty
Quote:
ps i know i havent defined the Varibals in Mysql,
for username and password but i dont remember how to do it i fix it later :P

buggabill 01-29-2008 02:47 PM
Hi codefreek. What, if any, error message are you receiving?

One thing I notice right away is that your form's HTML is within the <?php ?> tag.

This will fix that:
PHP Code:
<?php
include 'config.php';

if(@$_POST['submit']=="log")
$ert mysql_query("SELECT * FROM `cms` WHERE `rank` = '0'");
while ($row mysql_fetch_array($ertMYSQL_NUM)) {
if($username == $row['username'] && $md5password == $row['password']){
                $_SESSION['loggedIn'] = true;

// check the rank
if ($_session['loggedIn'] == true
[inline]mising some sort of statement here[/inline];
elseif ($_SESSION['loggedIn'] == null)
print "Access Denied";

if ($ert == "0")
print "Access Denied";
elseif ($ert == "1")
print "you have access to admin";
?>

<h2>Please log in:</h2>
<form method="post" action="<?php echo $PHP_SELF;?>">
Username: <input name="usernamn" type="text" value="" /><br />
Password: <input name="password" type="password" value="" /> 
          <input name="submit" type="submit" value="log" />
I fixed a couple of other syntactical errors. These mainly were ones like forgetting parenthesis around your if and elseif statements. You also are missing a statement on your first if statement.

One thing to remember and this is important, when doing comparisons in PHP, you need to make sure and use either the '==' or the '===' operators as just using a '=' will just set the variable. This will in turn always result in a true stement.

example:

PHP Code:
<?php
    if ($somevar "1")
    {
        This section will always execute
        because $somevar is just being set to "1"
        
    }
?>
The proper way:

PHP Code:
<?php
    if ($somevar == "1")
    {
        This section executing will depend
        on $somevar being equal to "1"
    }
    
?>
Take a look at the php.net site and read up on if.

Also, you are a little paranoid about being flamed. Has someone here done that?

RobertK 01-29-2008 02:47 PM
Your input is named "usernamn". So $_POST['username'] will always be blank.

Gareth 01-29-2008 03:56 PM
If, for some reason, you wanted the form within the php tags (<?php ?>), you will need to "escape" the double quotes (") with a backslash (\).

For example

Code:
Username: <input name=\"usernamn\" type=\"text\" value=\"\" />
And as RobertK said, make sure you have typed out everything correctly, too.

WinSrev 01-29-2008 05:03 PM
Or perhaps a slightly faster method would be to do:
PHP Code:
<?php
echo('<h2>Please log in:</h2>
<form method="post" action="' .  $PHP_SELF '">
Username: <input name="usernamn" type="text" value="" /><br />
Password: <input name="password" type="password" value="" /> 
          <input name="submit" type="submit" value="log" />');
?>

Tanax 01-29-2008 06:58 PM
I tried to make the best out of it, and here's how I solved it:

PHP Code:
<?php

/**
 * @author Tanax
 * @copyright 2008
 */

    include 'config.php';

    if(@$_POST['submit'] == 'log') {

        $query mysql_query("SELECT * FROM `cms` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");

        if($query) {
            
            $data mysql_fetch_array($query);
            
            if($data['rank'] == 'adminrank') {
                
                $_SESSION['logged'] = true;
                
            }
                    
        }
        
        else {
            
            echo 'Incorrect username or password';
            
        }
                

        if($_session['logged'] == true) {
            
            echo 'Adminpanel open';
            
        }
        
        else {
            
            echo 'Access denied';
            
        }
        
    }
    
    else {
        
        ?>


        <h2>Please log in:</h2>
        <form method="post" action="<?php $_SERVER['phpself']; ?>">
        Username: <input name="username" type="text" value="" /><br />
        Password: <input name="password" type="password" value="" /> 
        <input name="submit" type="submit" value="log" />
        
        <?php

    }


?>
I'm sure you can figure out, with enough time, what the different stuff do, as this is really nothing fancy or advanced.. :-)


NOTE: I wrapped this up in really no time at all, so security is none whatsoever. You might want to secure the $_POST variables.. and other aspects.

codefreek 01-29-2008 08:57 PM
as this is only for testing i will only secure it later when i will use it later on.
BUT THANK YOU TANAX :D

xperience 01-29-2008 11:00 PM
I'm pretty sure it's a bad idea to SELECT * when just verifying a username and a password. I would just SELECT the fields you need that way there is no way someone could gain access to a password.

PHP Code:
$query mysql_query("SELECT rank FROM `cms` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'"); 

flyingbuddha 02-07-2008 04:48 PM
Quote:
Originally Posted by xperience (Post 9927)
I'm pretty sure it's a bad idea to SELECT * when just verifying a username and a password. I would just SELECT the fields you need that way there is no way someone could gain access to a password.

PHP Code:
$query mysql_query("SELECT rank FROM `cms` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'"); 
Or you could select all and unset password if you're that way inclined.

PHP Code:
<?php
// ...
unset($row['password']);
?>
Hopefully you wouldn't be storing plaintext password's in the first place though ;)


All times are GMT. The time now is 02:15 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0