www.webdeveloper.com
Page 1 of 2 12 LastLast
Results 1 to 15 of 30

Thread: admin mode > security

  1. #1
    Join Date
    May 2003
    Posts
    144

    admin mode > security

    hi! I have this script. do you see any security flaw? is it safe enough?
    auth.php
    PHP Code:
    <? 

        $id 
    "user"
        
    $pw "password"

        function 
    auth(){ 
           
    header("WWW-authenticate:basic realm=\"Admin Mode\""); 
           
    header("HTTP/1.0 401 unauthorized"); 
           echo 

               <script> 
                    alert('Just the Admin can access, sorry.'); 
                    history.back(1); 
               </script> 
           "

           exit; 
        } 

       if(!
    $PHP_AUTH_USER or !$PHP_AUTH_PW){ 
           
    auth(); 
       }else{ 
          if(
    $id != $PHP_AUTH_USER or $pw != $PHP_AUTH_PWauth(); 
       } 

    ?>
    and here's the file
    PHP Code:
    <? 
    include "auth.php";

    <
    form action="" method="post">
    <
    input blah>
    <
    input blah>
    </
    form>

    ?>
    Last edited by Michaelttkk; 01-25-2007 at 07:33 PM.
    Learning never ends!

  2. #2
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    Why the javascript?
    PHP Code:
    <?php
    $id 
    "user";
    $pw "password";
    if ( !isset(
    $_SERVER['PHP_AUTH_USER'] OR !isset($_SERVER['$PHP_AUTH_PW']
      OR 
    $id <> $_SERVER['PHP_AUTH_USER'] OR $pw <> $PHP_AUTH_PW) {
       
    header('WWW-Authenticate: basic realm="Admin Mode"');
       
    header('HTTP/1.0 401 unauthorized');
       echo 
    'Just the Admin can access, sorry.<br>';
       echo 
    '<a href="' $_SERVER['HTTP_REFERER'] . '">Back</a>';
       exit;
    }
    ?>

  3. #3
    Join Date
    May 2003
    Posts
    144
    I tried the code, I included it in another page but the page goes blank
    Learning never ends!

  4. #4
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    Sorry, missing a (.
    PHP Code:
    <?php
    $id 
    "user";
    $pw "password";
    if ( !isset(
    $_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])
      OR 
    $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {
       
    header('WWW-Authenticate: basic realm="Admin Mode"');
       
    header('HTTP/1.0 401 unauthorized');
       echo 
    'Just the Admin can access, sorry.<br>';
       echo 
    '<a href="' $_SERVER['HTTP_REFERER'] . '">Back</a>';
       exit;
    }
    ?>

  5. #5
    Join Date
    May 2003
    Posts
    144
    it works, just that I have to retype 3 times user and password to reach to the
    HTML Code:
    Just the Admin can acess, sorry.<br>
    <a href="">Back</a>
    please check here
    http://positive0.negative0.net/tests/shop.php

    let's say, I'm making a shopping mall. I'm going to add my products through this Admin mode. From the link I'm going to add products so that just me can add and no one else
    Last edited by Michaelttkk; 01-25-2007 at 09:44 PM.
    Learning never ends!

  6. #6
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    PHP Code:
    <?php
    $id 
    "user";
    $pw "password";
    if ( !isset(
    $_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])
      OR 
    $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {
       
    header('WWW-Authenticate: basic realm="Admin Mode"');
       
    header('HTTP/1.0 401 unauthorized');
       echo 
    'Just the Admin can access, sorry.<br>';
       
    header('Location: ' $_SERVER['HTTP_REFERER']');
       exit;
    }
    ?>

  7. #7
    Join Date
    May 2003
    Posts
    144
    the last one doesn't seem to work

    but this works just that it doesn't show my index page instead it shows the auth.php's echo Just the Admin can access, sorry. [Back]
    PHP Code:
    <?php 
    $id 
    "user"
    $pw "password"
    if ( !isset(
    $_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW']) 
      OR 
    $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) { 
       
    header('WWW-Authenticate: basic realm="Admin Mode"'); 
       
    header('HTTP/1.0 401 unauthorized'); 
       echo 
    'Just the Admin can access, sorry.<br>'
       echo 
    '<a href="' $_SERVER['HTTP_REFERER'] . '">Back</a>'
       exit; 

    ?>
    http://positive0.negative0.net/tests/index.php id=user pw=password
    Last edited by Michaelttkk; 01-25-2007 at 10:26 PM.
    Learning never ends!

  8. #8
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    PHP Code:
    <?php
    $id 
    "user";
    $pw "password";
    if ( !isset(
    $_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])
      OR 
    $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {
       
    header('WWW-Authenticate: basic realm="Admin Mode"');
       
    header('HTTP/1.0 401 unauthorized');
       echo 
    'Just the Admin can access, sorry.<br>';
       echo 
    '<a href="' $_SERVER['HTTP_HOST'] . '">Back</a>';
       exit;
    }
    ?>

  9. #9
    Join Date
    May 2003
    Posts
    144
    I'm going to do some changes with http://positive0.negative0.net/tests/index.php for a few seconds this result is without
    PHP Code:
    <?
        
    include ('auth.php');
    ?>
    in index.php menu.php shopadd.php
    Learning never ends!

  10. #10
    Join Date
    May 2003
    Posts
    144
    but when i put the auth.php in all three pages
    when I run the index.php the Admin mode appears
    after 3 times of putting the id and password in tha admin mode it bring back to the page
    Just the admin can access, Sorry.
    Back
    Learning never ends!

  11. #11
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    I think it's because of the frames.

  12. #12
    Join Date
    May 2003
    Posts
    144
    alright now I'm gonna put the auth in the index.php menu.php shopadd.php
    PHP Code:
    <?
        
    include ('auth.php');
    ?>
    Learning never ends!

  13. #13
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    I posted something that somehow didn't make it...
    PHP Code:
    <?php
    $id 
    "user";
    $pw "password";
    if ( !isset(
    $_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])
      OR 
    $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {
       
    header('WWW-Authenticate: basic realm="Admin Mode"');
       
    header('HTTP/1.0 401 unauthorized');
       echo 
    'Just the Admin can access, sorry.<br>';
       
    header('Location: ' $_SERVER['HTTP_HOST']);
       exit;
    }
    ?>

  14. #14
    Join Date
    May 2003
    Posts
    144
    I see this on the Admin mode

    Admin Mode-1005
    Learning never ends!

  15. #15
    Join Date
    May 2003
    Posts
    144
    now, all error 404 document appear
    Learning never ends!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles