SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Thread: Admin Login

  1. #1
    SitePoint Member
    Join Date
    Jul 2013
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Admin Login

    Hello, I'm having a small issue when an "Admin" logs in, it doesn't redirect to the "admin" page. Im pretty sure it's just something in the script, but i'm not sure what.

    PHP Code:
    <?php

    class Login extends MainController{
        function 
    __construct(){
                
    parent::__construct();
                
    $this->view->url    =    $this->config->url;
                
    $this->view->ID       get_class($this);
                
    $this->view->Title "";
                
                
    // Data Login
                
    $userName    =    isset($_POST['username']) ? $_POST['username'] : '';
                
    $passWord   =   isset($_POST['password']) ? $_POST['password'] : '';

                
    $sql "SELECT * FROM users WHERE username = :username AND password = MD5(:password)";
                
    $arr = array(":username" => $userName,":password" => $passWord);
                
    $ctr $this->database->DBCtr($sql,$arr);
                
                if(
    $ctr 0){
                    
    $usr $this->database->DBQry($sql,$arr);
                    
    $_SESSION['user'] = $usr[0]['username'];
                    
    $role $usr[0]['role'];
                    
    header("location:Index");
                }elseif(
    $role == 'admin'){
                    
    header("location:Admin");
                }else{
                    
    header("location:NotAuthorize");
                }
            
        }
        
    }
    ?>
    Thats the script for logging in, if any more scripts are needed please let me know.

  2. #2
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    733
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    Looks like you're doing an automatic redirect to index if ctr is greater than zero before any checks for admin. I would change it to if greater than zero, do checks (pass, not authorized) and if NOT greater than zero send to index.
    PHP Code:
    if($ctr 0){
        
    $usr $this->database->DBQry($sql,$arr);
        
    $_SESSION['user'] = $usr[0]['username'];
        
    $role $usr[0]['role'];
        if(
    $role == 'admin'){
            
    header("location:Admin");
            exit;
        }else{
            
    header("location:NotAuthorize");
            exit;
        }
    }else{
        
    header("location:Index");
        exit;

    You might also set the ROLE to session.
    PHP Code:
    if($ctr 0){
        
    $usr $this->database->DBQry($sql,$arr);
        
    $_SESSION['user'] = $usr[0]['username']; 
        
    $_SESSION['role'] = $usr[0]['role']; 
        
    $role $usr[0]['role'];
        if(
    $role == 'admin'){
            
    header("location:Admin");
            exit;
        }else{
            
    header("location:NotAuthorize");
            exit;
        }
    }else{
        
    header("location:Index");
        exit;

    Then add a little check on your admin pages to make sure user is authorized.
    PHP Code:
    //check authorization
    if (!isset($_SESSION['user']) || !isset($_SESSION['role'])) {     
        
    session_destroy();
        
    header("location:Index");
        exit;
    }elseif(
    $_SESSION['role']!="admin"){     
        
    session_destroy();
        
    header("location:Index");
        exit;


  3. #3
    SitePoint Member
    Join Date
    Jul 2013
    Posts
    16
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Drummin View Post
    Looks like you're doing an automatic redirect to index if ctr is greater than zero before any checks for admin. I would change it to if greater than zero, do checks (pass, not authorized) and if NOT greater than zero send to index.
    PHP Code:
    if($ctr 0){
        
    $usr $this->database->DBQry($sql,$arr);
        
    $_SESSION['user'] = $usr[0]['username'];
        
    $role $usr[0]['role'];
        if(
    $role == 'admin'){
            
    header("location:Admin");
            exit;
        }else{
            
    header("location:NotAuthorize");
            exit;
        }
    }else{
        
    header("location:Index");
        exit;

    You might also set the ROLE to session.
    PHP Code:
    if($ctr 0){
        
    $usr $this->database->DBQry($sql,$arr);
        
    $_SESSION['user'] = $usr[0]['username']; 
        
    $_SESSION['role'] = $usr[0]['role']; 
        
    $role $usr[0]['role'];
        if(
    $role == 'admin'){
            
    header("location:Admin");
            exit;
        }else{
            
    header("location:NotAuthorize");
            exit;
        }
    }else{
        
    header("location:Index");
        exit;

    Then add a little check on your admin pages to make sure user is authorized.
    PHP Code:
    //check authorization
    if (!isset($_SESSION['user']) || !isset($_SESSION['role'])) {     
        
    session_destroy();
        
    header("location:Index");
        exit;
    }elseif(
    $_SESSION['role']!="admin"){     
        
    session_destroy();
        
    header("location:Index");
        exit;

    Thank you so much, it works perfectly!

  4. #4
    SitePoint Guru bronze trophy
    Join Date
    Feb 2013
    Posts
    733
    Mentioned
    7 Post(s)
    Tagged
    0 Thread(s)
    I'm sure the topic will come up regarding MD5 and salting your password and even mentioning it here can open a huge can of worms as to the best way to do things. I will offer a suggestion and you can take it for what it is. I would add a field to your `users` table called `salt`. When a person logs in, you query using only the user name as the query condition, grab the salt and password and any other info you wish. Then add the salt to the POSTED password and get a hashed password, which would then be compared to the stored password for match. Not sure If I've got everything straight in this example but it would go something like this.
    PHP Code:
    $sql "SELECT * FROM users WHERE username = :username";
    $arr = array(":username" => $userName);
    $ctr $this->database->DBCtr($sql,$arr);
    if(
    $ctr 0){  
        
    $usr $this->database->DBQry($sql,$arr);
        
    $salt $usr[0]['salt']; 
        
    $pass $usr[0]['password'];
        
    $user $usr[0]['username']; 
        
    $role $usr[0]['role'];   
        
    /*
        Here we take the POSTED password variable, add our salt value (stored in DB) 
        to get our hashed password.  This must match our password for this user.
        */
        
    $hashedpass hash('sha256'$salt.$passWord);
        
    //Check if values match
        
    if ($hashedpass==$pass){
            if(
    $role == 'admin'){ 
                
    $_SESSION['user'] = $user
                
    $_SESSION['role'] = $role;
                unset(
    $_POST);
                unset(
    $salt);
                unset(
    $pass); 
                unset(
    $role); 
                
    header("location:Admin");
                exit;
            }else{ 
                unset(
    $_POST);
                unset(
    $salt);
                unset(
    $pass);
                unset(
    $role);  
                
    header("location:NotAuthorize");
                exit;
            }        
        }else{ 
            unset(
    $_POST);
            unset(
    $salt);
            unset(
    $pass); 
            unset(
    $role); 
            
    header("location:Index");
            exit;
        }  
    }else{
        
    header("location:Index");
        exit;

    This would also mean that you'd need to create SALT when the person registers for an account and store this in the users table. Add something like this to the registration section.
    PHP Code:
    function createSalt() {
        
    $string md5(uniqid(rand(), true));
        return 
    substr($string013);
    }

    $salt createsalt();
    $password trim($_POST['password']);
    $hash hash('sha256'$salt.$password); 
    You would then use $hash as the value you save as their password and $salt would be salt.

  5. #5
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Don't use MD5. It's fairly easy to reverse it these days.

    Use this function and this hashing algorithm instead:

    PHP Code:
    $hashedvalue hash('sha512'$mydata); 
    It's much more difficult to reverse the hash.

    http://www.php.net/manual/en/function.hash.php
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  6. #6
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    England
    Posts
    698
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Or, even better, use BCrypt, as is encouraged in the new PHP5.5 password functions. In fact, you can add the PHP5.5 functions to PHP5.3 and PHP5.4 with this library: https://github.com/Antnee/phpPasswordHashingLib

    Use a hash that is designed to store passwords at rest No need to store a separate salt, no need to specify the salt yourself either, and all the functions are compatible with the PHP5.5 syntax so if/when you upgrade to PHP5.5 your code will continue to work with native functions. Feel free to contribute and make the code better; it was quickly put together but does exactly what it says on the tin


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •