made a login for admin (need help)

codefreek · 01-29-2008, 02:12 PM

hello, as i am learning php i just work out of my ass sort of speek
so this is one try so please dont flame me or so on, and try to be as clear about the things you explain to me thank you.

PHP Code:


			
<?php
include 'config.php';

if(@$_POST['submit']=="log")
$ert = mysql_query("SELECT * FROM `cms` WHERE `username`,`password`, `rank` = '0'");
while ($row = mysql_fetch_array($ert, MYSQL_NUM)) {
if($username == $row['username'] && $md5password == $row['password']){
                $_SESSION['loggedIn'] = true;

// check the rank
if $_session['loggedIn'] == true;
print "admin pannel open";
elseif $_SESSION['loggedIn'] == null;
print "Accses Denied";

if $ert = "0";
print "Accses Denied";
elseif
$ert = "1";
print "you have accses to admin";


<h2>Please log in:</h2>
<form method="post" action="<?php echo $PHP_SELF;?>">
Username: <input name="usernamn" type="text" value="" /><br />
Password: <input name="password" type="password" value="" /> 
          <input name="submit" type="submit" value="log" />



?>

The Question is, what have i done wrong?
and what should i fix.

ps, NO FLAME! please.

ty

Quote:

ps i know i havent defined the Varibals in Mysql,
for username and password but i dont remember how to do it i fix it later :P

buggabill · 01-29-2008, 02:47 PM

Hi codefreek. What, if any, error message are you receiving?

One thing I notice right away is that your form's HTML is within the <?php ?> tag.

This will fix that:

PHP Code:


			
<?php

include 'config.php';



if(@$_POST['submit']=="log")

$ert = mysql_query("SELECT * FROM `cms` WHERE `rank` = '0'");

while ($row = mysql_fetch_array($ert, MYSQL_NUM)) {

if($username == $row['username'] && $md5password == $row['password']){

                $_SESSION['loggedIn'] = true;



// check the rank

if ($_session['loggedIn'] == true) 

[inline]mising some sort of statement here[/inline];

elseif ($_SESSION['loggedIn'] == null)

print "Access Denied";



if ($ert == "0")

print "Access Denied";

elseif ($ert == "1")

print "you have access to admin";

?>



<h2>Please log in:</h2>

<form method="post" action="<?php echo $PHP_SELF;?>">

Username: <input name="usernamn" type="text" value="" /><br />

Password: <input name="password" type="password" value="" /> 

          <input name="submit" type="submit" value="log" />

I fixed a couple of other syntactical errors. These mainly were ones like forgetting parenthesis around your if and elseif statements. You also are missing a statement on your first if statement.

One thing to remember and this is important, when doing comparisons in PHP, you need to make sure and use either the '==' or the '===' operators as just using a '=' will just set the variable. This will in turn always result in a true stement.

example:

PHP Code:


			
<?php

    if ($somevar = "1")

    {

        This section will always execute

        because $somevar is just being set to "1"

        

    }

?>

The proper way:

PHP Code:


			
<?php

    if ($somevar == "1")

    {

        This section executing will depend

        on $somevar being equal to "1"

    }

    

?>

Take a look at the php.net site and read up on if.

Also, you are a little paranoid about being flamed. Has someone here done that?

RobertK · 01-29-2008, 02:47 PM

Your input is named "usernamn". So $_POST['username'] will always be blank.

Gareth · 01-29-2008, 03:56 PM

If, for some reason, you wanted the form within the php tags (<?php ?>), you will need to "escape" the double quotes (") with a backslash (\).

For example

Code:

Username: <input name=\"usernamn\" type=\"text\" value=\"\" />

And as RobertK said, make sure you have typed out everything correctly, too.

WinSrev · 01-29-2008, 05:03 PM

Or perhaps a slightly faster method would be to do:

PHP Code:


			
<?php
echo('<h2>Please log in:</h2>
<form method="post" action="' .  $PHP_SELF . '">
Username: <input name="usernamn" type="text" value="" /><br />
Password: <input name="password" type="password" value="" /> 
          <input name="submit" type="submit" value="log" />');
?>

Tanax · 01-29-2008, 06:58 PM

I tried to make the best out of it, and here's how I solved it:

PHP Code:


			
<?php

/**
 * @author Tanax
 * @copyright 2008
 */

    include 'config.php';

    if(@$_POST['submit'] == 'log') {

        $query = mysql_query("SELECT * FROM `cms` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");

        if($query) {
            
            $data = mysql_fetch_array($query);
            
            if($data['rank'] == 'adminrank') {
                
                $_SESSION['logged'] = true;
                
            }
                    
        }
        
        else {
            
            echo 'Incorrect username or password';
            
        }
                

        if($_session['logged'] == true) {
            
            echo 'Adminpanel open';
            
        }
        
        else {
            
            echo 'Access denied';
            
        }
        
    }
    
    else {
        
        ?>


        <h2>Please log in:</h2>
        <form method="post" action="<?php $_SERVER['phpself']; ?>">
        Username: <input name="username" type="text" value="" /><br />
        Password: <input name="password" type="password" value="" /> 
        <input name="submit" type="submit" value="log" />
        
        <?php

    }


?>

I'm sure you can figure out, with enough time, what the different stuff do, as this is really nothing fancy or advanced..

NOTE: I wrapped this up in really no time at all, so security is none whatsoever. You might want to secure the $_POST variables.. and other aspects.

codefreek · 01-29-2008, 08:57 PM

as this is only for testing i will only secure it later when i will use it later on.
BUT THANK YOU TANAX :D

xperience · 01-29-2008, 11:00 PM

I'm pretty sure it's a bad idea to SELECT * when just verifying a username and a password. I would just SELECT the fields you need that way there is no way someone could gain access to a password.

PHP Code:


			
$query = mysql_query("SELECT rank FROM `cms` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");

flyingbuddha · 02-07-2008, 04:48 PM

Quote:

Originally Posted by xperience

I'm pretty sure it's a bad idea to SELECT * when just verifying a username and a password. I would just SELECT the fields you need that way there is no way someone could gain access to a password.

PHP Code:


			
$query = mysql_query("SELECT rank FROM `cms` WHERE `username` = '".$_POST['username']."' AND `password` = '".$_POST['password']."'");

Or you could select all and unset password if you're that way inclined.

PHP Code:


			
<?php

// ...

unset($row['password']);

?>

Hopefully you wouldn't be storing plaintext password's in the first place though ;)