Power By 专否社区

Protect a page with php sessions

Go To StackoverFlow.com

0

I have some pages in website that i want to protect with php sessions so only an administrator with a valid password and login that match password and login in a mysql database can have access to this pages . here's the code for index.html ( the form of authentification ) 

<form id="form2" name="form2" method="post" action="authagent.php">
<p class="kkm">Authentification    </p>
<table align="center" width="300" border="0">
  <tr>
    <td width="146">Login</td>
    <td width="144"><label for="textfield12"></label>
    <input type="text" name="login" id="text" /></td>
  </tr>
  <tr>
    <td width="146">Mot de passe</td>
    <td><label for="textfield13"></label>
    <input type="password" name="mdp" id="mdp" /></td>
  </tr>
  <tr>
    <td>&nbsp;</td><td><input type="submit" name="button" id="button" value="Se connecter" /></td>

  </tr>

</table>
<p align="center"><a href="ajoutagent.html">Créer un nouveau compte</a></p>
<p align="center"><a href = "javascript:history.back()">

and this is the code of authagent.php 

       <?php
session_start() ;
$_SESSION['connect']=0;
mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("agence");
$login = $_POST['login'];
$mdp = $_POST['mdp'] ;

$query = "SELECT * FROM agent where login_agent = '$login' and mdp_agent = '$mdp'";
$result = mysql_query($query);
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {


if ($login == $line['login_agent'] && ($mdp == $line['mdp_agent'])) // Si le nom d'utilisateur et le mot de passe sont correct
{
 $_SESSION['connect']=1; 
          header('Location: agent.php');   

}
else
{
echo 'incorrect' ;// Si le nom d'utilisateur ou le mot de passe est incorrect
}
}
?>

Here's the code of a secured page agent.php 

 <?php
session_start();
if (isset($_SESSION['connect']))//On vérifie que le variable existe.
{
        $connect=$_SESSION['connect'];//On récupère la valeur de la variable de session.
}
else
{
        $connect=0;//Si $_SESSION['connect'] n'existe pas, on donne la valeur "0".
}

if ($connect == "1") // Si le visiteur s'est identifié.
{
              header('Location: agent.php');  

// On affiche la page cachée.
}
else
{
                  header('Location: seconnecteragent.php');  


    } ?>
2012-04-05 20:34
by ziz194
and what was your question - dqhendricks 2012-04-05 20:36
when i put a valid login and password it works so the mysql part is working , my problem is with the php sessions , i don't want someone to get access to a secured page directly by putting it's ur - ziz194 2012-04-05 20:36
x' OR 1 = 1;--Dejan Marjanovic 2012-04-05 20:37
You need to escape the $POST input mysqlrealescapestring. You're ripe for an SQL injection attack - mqsoh 2012-04-05 20:46
what they are trying to say is that your code is severely vulnerable to sql injection. also, to secure a section of your site, you need to put code on ALL of the secured pages. if they are not logged in, redirect them - dqhendricks 2012-04-05 20:47
yes i know but i have a problem with the code when i enter a valid login password it direct me directly to the authentification pag - ziz194 2012-04-05 20:56
how to protect against sql injection in this case - ziz194 2012-04-05 23:19
what happens when you echo $SESSION['connect'] right after sessionstart() - dqhendricks 2012-04-05 23:20

4

Usually this is done by testing for the existence of a session variable like loggedin, and if it is not =1 then you automatically redirect to the login page. You can put this simple bit of code at the top of every page, and if the loggedin variable is there, nothing happens and the page is served normally. A basic example:

<?php 
if(!isset($_SESSION['loggedin']) || $_SESSION['loggedin']!=1){
    header('Location: login.php');
    exit();
}
?>
2012-04-05 20:44
by rncrtr
Maybe also add exit(); after header("Location: login.php");Dion 2012-04-05 20:50
precisely, thanks for that, edited - rncrtr 2012-04-05 20:53
yes i know but i have a problem with the code when i enter a valid login password it direct me directly to the authentification pag - ziz194 2012-04-05 20:57
what you are asking or what the problem is here isn't very clear. What exactly is the issue we can help you with - rncrtr 2012-04-05 21:00
i want to make the browser redirect you if you enter a secured page dirctly by url - ziz194 2012-04-05 21:02
eg : if you enter http://.../agent.php and you're not an adminstrator the browser redirects you to authentification pag - ziz194 2012-04-05 21:03
this code even if i'am an administrator it always redirects me to the authentification pag - ziz194 2012-04-05 21:04

0

As I can see, your problem is that you have a recursion there. In agent.php page, if the user is authenticated, then you send him back to the same page agent.php.

2013-04-23 21:09
by Kaliman
Ads