SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Member
    Join Date
    Jan 2002
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Access Control "Bug?"

    I'm pretty much a newbie at PHP and MySQL and have found this Web site and K. Yank's book EXTREMELY helpful.

    One problem—I'm using Kevin's Access Control script to protect a few pages on my site. While it seemed to work quite well at first, I then tried to "hack" it by not filling in any fields on the "login required" page. I simply left the fields blank and hit "login." Guess what? I got access to my "protected" page with no problem.

    Am I missing something? I only made one miniscule change to the script...telling it to connect to my database, not the one listed in the downloaded script.

    Help!

  2. #2
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If that is the case check if the form has submitted either a blank username and password, and if so echo an error

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  3. #3
    SitePoint Member
    Join Date
    Jan 2002
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your reply. Where in the Access Control code would I put this?

  4. #4
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Before the username and password are validated. You will need something like this:

    PHP Code:
    if ( $username == "" OR $password == "" ) {

        echo 
    'Please enter both a username and password';
        exit;


    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  5. #5
    SitePoint Enthusiast Goldfinger's Avatar
    Join Date
    Dec 2001
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well. if you were logged in before you tried just the empty method your session had most likely not expired. You will need a logout script to destory the sessions.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •