So I made a register script and a login script for my website;
here is the register script:

<?php
$host="localhost";
$username="root";
$password="quatre";
$database="binary";
//make connection to mysql
//and store connection in the variable $con
$con=mysql_connect("localhost","root", "quatre");
if(!$con)
{
die('Could not connect'. mysqlerror());
}
mysql_select_db($database);
$aid=$_POST['aid'];
$pass=$_POST['password'];
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$phone=$_POST['phone'];
$query="SELECT * FROM users WHERE aid='$aid'";
//mysql_query() returns a result set on sucess or false on error
$result1=mysql_query($query);
$rows=mysql_num_rows($result1);
if($rows==1)
{
echo'That aid is already taken!';
}
else
{
$add="INSERT INTO users(aid,password,fname,lname,phone) VALUES('$aid','$pass','$fname','$lname', '$phone')";
$result2=mysql_query($add);
echo 'You have successfully registered!';
echo'Click <a href="login.php">here</a>to login';
}

?>

login script:

<?php
include'connect.php';
$aid=$_POST['aid'];
$pass=$_POST['password'];
//first check if that aid was registered
//or if it does not exist
$query="SELECT * FROM users WHERE aid='$aid'";
$result=mysql_query($query);
//now check number of rows in resource returned
$rows=mysql_num_rows($result);
//if resource returned contains no row
//it means that the aid was not registered
if($rows==0)
{
echo 'The aid you entered does not exist!';
}
//if the aid was registered
else
{
$arr=mysql_fetch_array($query);
//check if correct password was entered
if($arr['password']==$pass)
{
echo'You are now logged in!';
}
else
{
echo'The password/username you entered was not valid!';
}
}
?>

Now I changed my mind and the site will only allow admins to login so now I need to modify the login just to suit admin needs but my problem is since it won't be wise to build a register script for admins
how do I add new admins!
I mean do I add admins account myself and just put the login there or something like that.
Can someone help me please?

Now I changed my mind and the site will only allow admins to login so now I need to modify the login just to suit admin needs but my problem is since it won't be wise to build a register script for admins
how do I add new admins!
I mean do I add admins account myself and just put the login there or something like that.
Can someone help me please?

Sounds like it's mainly the theory that has gone terribly wrong. I shall explain the answer and if you have any problems then I shall provide some code. So as explained you have a register script and a login script. That is all and good and now for the next stage. You will need to put into your config file a username variable and a password variable for the master username and master password. Then modify the login script to accept this master user. Then when the master user is logged in a cookie or session variable is set to say it is the master user. And add an if statement in the register script to check if it is the master user registering a new user. Then last of all make sure the register page is only linked to in the master admin panel and not in everybody else's admin panel and not in public domain. That's the theory and hope it gives you a better picture.

Sounds like it's mainly the theory that has gone terribly wrong. I shall explain the answer and if you have any problems then I shall provide some code. So as explained you have a register script and a login script. That is all and good and now for the next stage. You will need to put into your config file a username variable and a password variable for the master username and master password. Then modify the login script to accept this master user. Then when the master user is logged in a cookie or session variable is set to say it is the master user. And add an if statement in the register script to check if it is the master user registering a new user. Then last of all make sure the register page is only linked to in the master admin panel and not in everybody else's admin panel and not in public domain. That's the theory and hope it gives you a better picture.

So I don't know a real much about cookies or sessions but I did modify the scripts and I have something like this:
adminlogin.php:

?php
include'connect.php';
$aid=$_POST['aid'];
$pass=$_POST['password'];
//first check if that aid was registered
//or if it does not exist
$query="SELECT * FROM admins WHERE AID='$aid'";
$result=mysql_query($query);
//now check number of rows in resource returned
$rows=mysql_num_rows($result);
//if resource returned contains no row
//it means that the aid does not exist
if($rows==0)
{
echo 'The aid you entered does not exist!';
}
//if the aid exists
else
{
$arr=mysql_fetch_array($result);
//check if correct password was entered
if($arr['password']==$pass)
{
header("Location:admins.php");
}
else
{
echo'The password/username you entered was not valid!';
}
}
?>

addadmin.php:

<?php
$host="localhost";
$username="root";
$password="quatre";
$database="binary";
//make connection to mysql
//and store connection in the variable $con
$con=mysql_connect("localhost","root", "quatre");
if(!$con)
{
die('Could not connect'. mysqlerror());
}
mysql_select_db($database);
$aid=$_POST['aid'];
$pass=$_POST['password'];
$fname=$_POST['firstname'];
$sname=$_POST['surname'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$query="SELECT * FROM admins WHERE AID='$aid'";
//mysql_query() returns a result set on sucess or false on error
$result1=mysql_query($query);
$rows=mysql_num_rows($result1);
if($rows==1)
{
echo'That aid is already taken!';
}
else
{
$add="INSERT INTO admins(AID,password,firstname,surname,phone,email) VALUES('$aid','$pass','$fname','$sname', '$phone', '$email')";
$result2=mysql_query($add);
echo 'The new admin account was successfully added';
echo'Click <a href="login.php">here</a>to go back to the admin page';
}

?>

And what I planned was an admin logs in and he is redirected to admins.php where there are forms that allow to modify the site and one of these form is addadminfrm which uses the 'addadmin' script.Is this valid?

Okay so I learnt sessions and was able to build the site in a way so that only the site owner can add admins.

Here is the form that the site user can use to add an admin:

<?php
session_start();
if($_SESSION['loggedin']!='yes')
{
Header('Location:index.php');
}
else
{
//if logged in
//but is not site owner
if($_SESSION['level']!='super')
{
echo 'Only the site owner is allowed to add admins<br/>';
//redirect administrator to admins.php
echo 'Click <a href="admins.php">here</a> to go back to the admins page';
}
//if it is the site owner
//allow access to the form
else
{
echo'<form action="addadmin.php" method="post" name="addadminfrm">
AID:<input name="aid" type="text" size="15"/><br/>
password:<input name="password" type="text" size="15"/><br/>
firstname:<input name="firstname" type="text" size="15"/><Br/>
surname:<input name="surname" type="text" size="15"/><br/>
phone:<input name="phone" type="text" size="7"/><br/>
email<input name="email" type="text" size="15"/><br/>
level<input name="level" type="text" size="15"/><br/>
<input value="Submit" type="submit"/>
<form/>';
}
}
?>

And here is the 'addadmin.php':

<?php
$host="localhost";
$username="root";
$password="quatre";
$database="binary";
//make connection to mysql
//and store connection in the variable $con
$con=mysql_connect("localhost","root", "quatre");
if(!$con)
{
die('Could not connect'. mysqlerror());
}
mysql_select_db($database);
$aid=$_POST['aid'];
$pass=$_POST['password'];
//use a one way function
//here md5 to turn the password into a 32character hexadecimal number
//storing this number in the database is wiser than storing the password itself
$token=md5($pass);
$fname=$_POST['firstname'];
$sname=$_POST['surname'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$level=$_POST['level'];
$query="SELECT * FROM admins WHERE AID='$aid'";
//mysql_query() returns a result set on sucess or false on error
$result1=mysql_query($query);
$rows=mysql_num_rows($result1);
if($rows==1)
{
echo'That aid is already taken!';
}
else
{
$add="INSERT INTO admins(AID,password,firstname,surname,phone,email,level) VALUES('$aid','$token','$fname','$sname', '$phone', '$email', '$level')";
$result2=mysql_query($add);
echo 'The new admin account was successfully added';
echo'Click <a href="admins.php">here</a>to go back to the admins page';
}
?>

This works fine an if somemone that is not logged in tries to access the addadminfrm by typing the url he will be redirected to the index since the session variable will check for that!
Now I did similar with all my forms that can be accessed only by admins or site owner but now if someone actually typed the url:

http://127.0.0.1/Web/addadmin.php

It gives me something like this that is it calls the "addadmin.php" script:

Notice: Undefined index: aid in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 14

Notice: Undefined index: password in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 15

Notice: Undefined index: firstname in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 20

Notice: Undefined index: surname in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 21

Notice: Undefined index: phone in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 22

Notice: Undefined index: email in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 23

Notice: Undefined index: level in C:\Program Files\EasyPHP5.3.0\www\Web\addadmin.php on line 24
The new admin account was successfully addedClick hereto go back to the admins page

And this does insert something in my admins table which is really annoying!
How can I check if the script has been called from a form or if someone has just typed it in the url?

Member Avatar for diafol

This thread is marked solved. Do you need further help or are you done?

Thks ardav but I got my answer :)

So I used this on top of those script to check if the form was submitted and this works fine:

if(!array_key_exists('submit_check',$_POST))
{
echo'Warning you don\'t have the required permissions to access this page';
}

Now I have other scripts that are not invoked through froms such as display01.php which brings a certain picture from the dtabase and display it.I included the script in a page so that thepicture are displayed on a page.

<?php
   //variables that will be needed to connect to mysql
  $host="localhost";
  $username="root";
  $password="quatre";
  $database="binary";
  //make connection to mysql
  //and store connection in the variale $con
  $con=mysql_connect($host,$username,$password);
  //die if it didn't connect
  if(!$con)
  {
  die('Could not connect'. mysqlerror());
  }
  //if connected
  //select database to use
  mysql_select_db($database);
  //store query in variable $query
  $query="SELECT image from tbl_images where id=1";
  $results=mysql_query($query,$con);
  $row = mysql_fetch_array($results);
  header('Content-type: image/jpeg');
  echo $row['image'];
?>

Now if the user types' http://127.0.0.1/Web/display01.php' he can see the picture.Is this wise or is there a way to restrict access to that also?

Member Avatar for diafol

The user won't see that page because 127.0.0.1 is the IP address for 'localhost'. You probably see it because you've got a local copy on your machine. *I think*. Do you have a remote server, or are you working off a local test server on easyphp?

Member Avatar for diafol

Yes - but not the 127.0.0.1 version you posted originally.

If you want to restrict access to certain files, an easy way to do this would be to bounce certain unauthorized requests back to the original page or to your index page.

if(isset($_POST['whatever'])){
   //carry on with the page script
}else{
   header('Location:http://www.example.com/index.php');
   exit;
}

This will only work if there is no html output before it - so it won't work as an include file unless it's the first thing to output.

So here is 'display01.php':

<?php
   //variables that will be needed to connect to mysql
  $host="localhost";
  $username="root";
  $password="quatre";
  $database="binary";
  //make connection to mysql
  //and store connection in the variale $con
  $con=mysql_connect($host,$username,$password);
  //die if it didn't connect
  if(!$con)
  {
  die('Could not connect'. mysqlerror());
  }
  //if connected
  //select database to use
  mysql_select_db($database);
  //store query in variable $query
  $query="SELECT image from tbl_images where id=1";
  $results=mysql_query($query,$con);
  $row = mysql_fetch_array($results);
  header('Content-type: image/jpeg');
  echo $row['image'];
?>

And it is being included in this page 'macbook.php':

<html>
  <head>
    <title>Macbook-Apple Store Mauritius</title>
    <link rel="shortcut icon" type="image/ico" href=favicon.ico mce_ref=favicon.icon>
    <link rel="stylesheet" href="format.css" type="text/css" />
  </head>
  <body>
    <h2 class="italia">Apple eStore Mauritius</h2>
    <div id="side1"><a href="index.php">Home</a></div>
    <div id="side2"><a href="ipods.php">iPods</a></div>
    <div id="side3"><a href="iphones.php">iPhones</a></div>
    <div id="side4"><a href="http://www.apple.com/">Apple.com</a></div>
    <div id="side5"><a href="support.php">Support & Policy</a></div>
    <div class="nice">
      <div style="position:absolute; top:50px; left:60px;">
        <img src="display01.php"/>
      </div>
      <div style="position:absolute; top: 50px; left: 400px;">
        <?php include('text01.php');?>
      </div>
    </div>
   </body>
</html>

And since the script is not being invoked by a form I can't check it.
I thought about checking a session variable to see if a user is an admin.If he isn't and he types 'http://futuresitename/Web/display01.php' he will be redirected towards index.Now when I used that I get redirected if I just type the url but if I login as admin I can see the image but now I have another problem the image is never displayed on the site when a normal user views it since since he is not logged in the session variable is not set.
So this means I will have to find another method to prevent a normal user from seeing what is at the url; it won't be grave if he types that url since the image that the script displays is intended to be on the site its just that it is kind of ridiculous.Please tell me how to fix this?

Member Avatar for diafol

In general - if you want to protect files:

Either have a small script like the one I posted earlier - use $_SESSION instead of $_POST that pertains to a logged in user, OR have http protection - e.g. htaccess with password which asks for user authentication.

Yeah my forms and other scripts are well protected for example:

addadmin.php:

<?php
//check if the addadmin script is being accessed through a from
//or if someone has just typed the url in a browser
//if so display a warning
//and redirect to home
if(!array_Key_exists('submit_check', $_POST))
{
echo'Warning you don\'t have the requied permisssions to access this page';
}
else
{
$host="localhost";
$username="root";
$password="quatre";
$database="binary";
//make connection to mysql
//and store connection in the variable $con
$con=mysql_connect("localhost","root", "quatre");
if(!$con)
{
die('Could not connect'. mysqlerror());
}
mysql_select_db($database);
$aid=$_POST['aid'];
$pass=$_POST['password'];
//use a one way function
//here md5 to turn the password into a 32character hexadecimal number
//storing this number in the database is wiser than storing the password itself
$token=md5($pass);
$fname=$_POST['firstname'];
$sname=$_POST['surname'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$level=$_POST['level'];
$query="SELECT * FROM admins WHERE AID='$aid'";
//mysql_query() returns a result set on sucess or false on error
$result1=mysql_query($query);
$rows=mysql_num_rows($result1);
if($rows==1)
{
echo'That aid is already taken!';
}
else
{
$add="INSERT INTO admins(AID,password,firstname,surname,phone,email,level) VALUES('$aid','$token','$fname','$sname', '$phone', '$email', '$level')";
$result2=mysql_query($add);
echo 'The new admin account was successfully added';
echo'Click <a href="admins.php">here</a>to go back to the admins page';
}
}
?>
<?php
session_start();
if($_SESSION['loggedin']!='yes')
{
Header('Location:index.php');
}
else
{
//if logged in
//but is not site owner
if($_SESSION['level']!='super')
{
echo 'Only the site owner is allowed to add admins<br/>';
//redirect administrator to admins.php
echo 'Click <a href="admins.php">here</a> to go back to the admins page';
}
//if it is the site owner
//allow access to the form
else
{
echo'<form action="addadmin.php" method="post" name="addadminfrm">
<input type="hidden" name="submit_check" value="1"/>
AID:<input name="aid" type="text" size="15"/><br/>
password:<input name="password" type="text" size="15"/><br/>
firstname:<input name="firstname" type="text" size="15"/><Br/>
surname:<input name="surname" type="text" size="15"/><br/>
phone:<input name="phone" type="text" size="7"/><br/>
email<input name="email" type="text" size="15"/><br/>
level<input name="level" type="text" size="15"/><br/>
<input value="Submit" type="submit"/>
<form/>';
}
}
?>

As you can see both are well protected its just here its a bit different but it does not involve any security risk at all; maybe I should just leave it like it is

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.