login script

adam2326

Hi I am currently using this script:

<?php
include 'connection.php';
session_start();

$username =$_POST["username"];
$password =$_POST["password"];

  $username = stripslashes($username);
  $password = stripslashes($password);
  $username = mysql_real_escape_string($username);
  $password = mysql_real_escape_string($password);

  $flag="OK";  

  $msg="";  

  if(strlen($username) < 1){
    $msg=$msg."Please enter the user name<br>";
    $flag="NOTOK"; 
  }

  if(strlen($password) < 1 ){
    $msg=$msg."Please enter the password<br>";
    $flag="NOTOK";  

  }

  if($flag <>"OK"){
    echo "<left>$msg <br> <input type='button' value='Retry' onClick='history.go(-1)'></left>";
  }else{
    $sql="SELECT * FROM admin WHERE user='$username' and password='$password'";
    $result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
  session_register("username");
  session_register("password");
  header("location:admin_index.php");
} else {
  echo "Incorrect User Name OR Password Found";
  echo "<left><br><input type='button' value='Retry' onClick='history.go(-1)'></left>";
}
  }
?>

It all works fine. But what I would like to know is how to stop users getting to the admin_index.php page without entering in their username and password.

NogDog

I'm not sure what you are asking. Is the above script the admin_index.php page you are referring to, or is it another page?

adam2326

That code is my login action page. What I meant was that if someone were to just type in the address of the admin index page into their browser they would be able to gain access to it. How can I stop this?

NogDog

You need to do a check at the start of any access-controlled page to see if the desired session value is set.

On a related note, I see that your login code is using the deprecated session_register() function. To get your code into the 21st century, you should be using the $SESSION array, instead.

   if($count==1){
      $_SESSION["username"] = $username;
      session_write_close(); // make sure session data is saved before redirect
      header("location:admin_index.php");
      exit;  // make sure no more code is executed here
   }

(Note that I did not save the password to the session data, as it's not needed for checking login status and saving it in the session data reduces your password security.)

Then in the admin page:

<?php  // this must be the first line with no space/newline before it
session_start();
if(empty($_SESSION['username']))
{
   include 'path/to/login_form_page.php';
   exit; // don't execute rest of this page
}
// rest of admin page...
?>

adam2326

Thanks very much for your help, much appreciated.