Hello,
I wrote the code below which is supposed to process a login page. If the login is successful, the code is supposed to take the user to metro_agents.php which is a password protected page.
The code was working fine until I discovered a loophole. Here's the loophole:-
The user does not have to key in his correct username & password in the login page. All he has to do is to hit the Submit button. Then he needs to key in the full url(www.mywebsite.com/metro_agents.php) in the address bar of his browser and click go(or hit enter). By doing so, he would gain access to metro_agents.php without a valid username & password.
My code is below. How do I plug this loophole?
Thanks for your advice.
session_start();
$username="something";
$password="something";
$database="something";
$host="localhost";
$pass=$_POST['pass']; //the password field in the form
$user=$_POST['user']; //the username field in the form
$r1 = $_POST['R1']; //a radio button in the form
$Submit1 = $_POST['Submit1']; //the Submit button in the form
if(isset($Submit1))
{
mysql_connect ("$host","$username","$password");
mysql_select_db($database) or die( "Where's the database man?");
$query = "SELECT * FROM administrator WHERE username = '$user' AND password = '$pass'";
$result = mysql_query($query);
if ($query = mysql_num_rows($result) == 0)
{
echo "Wrong Username or Password!";
}
if ($r1=='V1')
{
setcookie(metro_admin, date("G:i - m/d/y"), time()+86400);
}
$_SESSION['metro_administrator'] = @mysql_result($result,0,"email");
$mysql_result = @mysql_result($result,0,"email");
$mktime = date('l dS \of F Y h:i:s A');
//echo $mktime;
$query2=("INSERT INTO logs (timenow, email, username) VALUES ('$mktime','$mysql_result','$user')");
$result2=mysql_query($query2);
@header('Location:metro_agents.php');
}
