i have admin panel and i want to protect this admin panel, i want to be password protection and admin will be write username and password and this password and username will be in database, how can i do this please help me
no i don't want password protect directories i want to be such thing: and when somebody go to admin.php?action=addnews he will see this login form do you undatstand what i want?
Well, you basically need some kind of member system for it. Have you already got a user database? Thereafter we should add the login and protection script just on top of the admin.php file, and that should be sufficient. Preferrably we work with session_start(), that's the easiest way When you further clarify if you already got a database created for it (and you posted the structure of it), I can give further codes
He doesn't have to have a database, he could set the username and password in the script then check the see if the password and username entered matches the one set.
so i have database and there is table name users and there is username, password and other information i can make login form it is no problem but i want to admin.php will protect, login form and if i write in browser mysite.com/admin.php?action=addnews the script show him login form.
@ Crazyryan: I know But he told himself he liked to use a database Well, I recommend having this on top of your admin.php. <?php session_start(); if(!isset($HTTP_SESSION_VARS['username']) && $HTTP_GET_VARS['action'] != "dologin") { // print login form here // make sure it POST or GET to admin.php?action=dologin // after printing the login form, we die() the script, so it won't be executed any further die(); }elseif($HTTP_GET_VARS['action'] == "dologin"){ // validate the login here from your database // if IS VALID, set $HTTP_SESSION_VARS['username'] to the logged in user // and print a link to the admin homepage like "Login success. Click here to go to admin homepage". // after validating and printing that, we die() again for surety. die(); } // here goes the rest of your script ?> PHP: This is just some quick code. Code a little further on that. You could also use die('</body></html>'); or something similar, in order to have valid HTML printed
i have problem <?php // Get MySQL database info include ("../includes/dbinfo.php"); // Connect to MySQL server $connect = @mysql_connect($db_host,$db_user,$db_pass); // Connect to MySQL database $db = mysql_select_db($db_name,$connect); // login session_start(); if(!isset($HTTP_SESSION_VARS['username']) && $HTTP_GET_VARS['action'] != "dologin") { ?> <table border="0"> <form action="index.php?action=dologin" method="post"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="password" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </form> </td></tr> </table> <? die(); }elseif($HTTP_GET_VARS['action'] == "dologin"){ $username = $_POST[username]; $password = $_POST[password]; $data_user = mysql_query("SELECT username FROM users"); $data_password = mysql_query("SELECT password FROM users"); // what i do now? ?> PHP: i can't undarstand what i can do when database_pass and database_username == username and password? how i can to set $HTTP_SESSION_VARS['username'] ???
1) Put this: // login session_start(); PHP: just after this: <?php PHP: Setting the session var is this way: $HTTP_SESSION_VARS['username'] = "What Should Be In here ..."; PHP: That will ONLY work if session_start() is just after the start of the php script (being <?php ). Let me know if any problem arises. Oh; btw; I see this kind of declarations in your PHP code: $_POST[username] PHP: I don't know if that works, how you use it, but it is better to use it this way: $_POST['username'] PHP: Cheers
<?php session_start(); // Get MySQL database info include ("../includes/dbinfo.php"); // Connect to MySQL server $connect = @mysql_connect($db_host,$db_user,$db_pass); // Connect to MySQL database $db = mysql_select_db($db_name,$connect); if(!isset($HTTP_SESSION_VARS['username']) && $HTTP_GET_VARS['action'] != "dologin") { ?> <table border="0"> <form action="index.php?action=dologin" method="post"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td><td> <input type="text" name="username" maxlength="40"> </td></tr> <tr><td>Password:</td><td> <input type="password" name="password" maxlength="50"> </td></tr> <tr><td colspan="2" align="right"> <input type="submit" name="submit" value="Login"> </form> </td></tr> </table> <? die(); }elseif($HTTP_GET_VARS['action'] == "dologin"){ $username = $_POST['username']; $password = $_POST['password']; $data_user = mysql_query("SELECT username FROM users"); $data_password = mysql_query("SELECT password FROM users"); if($username == $data_user && $password == $data_password) { $HTTP_SESSION_VARS['username'] = '<a href="?action=home" >Go to admin panel Home</a>'; } die(); } ?> PHP: i have this code but it doesn't work why?
You are posting to INDEX.php? Isn't it ADMIN.php? Also, You have this line $HTTP_SESSION_VARS['username'] = '<a href="?action=home" >Go to admin panel Home</a>'; PHP: Should be: $HTTP_SESSION_VARS['username'] = $username; echo '<a href="?action=home" >Go to admin panel Home</a>'; PHP: At the end, better replace the following. } die(); PHP: with: }else{ echo "Incorrect username or password. <a href='?action=home'>Try again</a>"; } die(); PHP: Let us know
its very simple and easy, i used ... <?php session_start(); if(empty($_SESSION['username'])) { header('Location:login.php'); } ?> in head tag <head> ////
Most of the time that works, unless the browser doesn't recognizes the 'Location:' header Every hacker could easily get around that then (at least, I think so ) But it could work too, though @shotazi: No problem. Here to help you.
hey please explain me. what you mean? can hacker hack my script easily? please tell me .. if you are a good programmer .. add me so we can discuss many things related to programming..
I learned how to use password protection from a PHP book, it's amazing how much you can learn from them. Try visiting your local library and borrowing a PHP book.
Don't worry; only very advanced ones should be able to do that. If you want really secure code, this should be practically unhackable: (your code changed a little bit) <?php session_start(); if(empty($_SESSION['username'])) { header('Location:login.php'); // Just to make sure that the header "location" is not ignored, we add a die() to it, so that absolutely nobody can access admin area. die(); } ?> PHP: Note that your script basically could only be hacked by professionals - I wouldn't be abled to do it. All you would need is a custom written browser which ignores the 'Location:' HTTP header -I think!-. With using the code I written above, it can't be hacked; at least nobody can access the protected pages without knowing the username & password. (where I guess you have a secure login.php ).