Admin login system

notset

function enc($data) {
  $data = sha1(md5($data));
  return $data;
}

function is_admin() {
  global $admin_password;
  $password = enc($admin_password);
  if (isset($_SESSION['adm']) && $_SESSION['adm'] == $password) {
    return true;
  }
  $psw = (isset($_POST['password'])) ? cleanUp($_POST['password']) : '';
  if (!empty($psw) && enc($psw) == $password) {
    $_SESSION['adm'] = $password;
    return true;
  }
  return false;
}

if (@is_admin() === false) { exit; }

Any comments? It's enough secure?

planetsim

Doesnt seem to complete in that if someone was to copy this where is the cleanUp function?

Firstly why do you require to have to use global seen in is_admin? Why not pass it to the function?

Secondly why are you storing the password in the session? Even though its hashed (Not encrypted) if someone knew what was happening behind the scenes and got hold of it they could eventually get the password, md5 and sha1 arent as secure as you may think (Do a search as to why).

Lastly "@" why is it needed on the if statement? why not just code the last line like this

if (!is_admin()) exit;

Shorter and more to the point, as well as in my opinion easier to understand.

notset

Hello,

Thanks for comments.

forgot to write:

function cleanUp($data) {
  $data = trim(strip_tags(htmlentities($data, ENT_QUOTES)));
  return $data;
}

I'm using "@" before is_admin function, because my site system is in index.php, where I include functions.php file (with all functions) and admin.php (with validator). So, if somebody try to access admin.php directly, they would get an error. That's why i use "@".

notset

OK, here is my update.

index.php (example)

<?php
require("functions.php");
include("admin.php");
?>

functions.php

function cleanUp($data) {
  $data = trim(strip_tags(htmlentities($data, ENT_QUOTES)));
  return $data;
}

function is_admin($admin_password,$admin_session_time) {
  $time = time();
  if (isset($_SESSION['adm']) && $_SESSION['adm'] == 0 || $_SESSION['adm'] >= $time) {
    return true;
  }
  $password = (isset($_POST['password'])) ? cleanUp($_POST['password']) : '';
  if ($password == $admin_password) {
    if ($admin_session_time > 0) {
      $_SESSION['adm'] = $time+$admin_session_time;
    }
    else {
      $_SESSION['adm'] = 0;
    }
    return true;
  }
  return false;
}

admin.php

if (!(@is_admin($admin_password,$admin_session_time))) exit;

planetsim

If thats the case you still shouldnt use @ to supress errors its a sign of poor programming. If the included files must be included and cannot work seperately why not use something like this.

function.php

<?php
if (!defined("SOME_DEFINED_THING"))
    die ("some message");

function cleanUp($data) {
  $data = trim(strip_tags(htmlentities($data, ENT_QUOTES)));
  return $data;
} 
-- more code --

so index.php

<?php
define("SOME_DEFINED_THING", true);
require("functions.php");
include("admin.php");
?>

That way you dont need to supress the error. You can change the "SOME_DEFINED_THING" name as its just an example for example sake.