Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts

    Simple Administrator Control Panel

    Code is a bit messy but it does work, and it has security and encryption.

    1. Create a new database.
    2. Add a table name "users" without the quotes.
    3. Add the following 4 fields to the table.

    Field Name: id
    Type: smallint
    Length: 6
    Default: 0
    Extra: Auto Increment

    Field Name: username
    Type: varchar
    Length: 30
    Default: (blank)

    Field Name: password
    Type: varchar
    Length: 32
    Default: (blank)

    Field Name: email
    Type: varchar
    Length: 100
    Default: (blank)
    ____________________________________________________________

    Now copy each of the codes below into different files, name the files what it says directly above the codes.


    registeracc.php
    PHP Code:
    <?php

    mysql_connect
    ('localhost''username''password') or die(mysql_error());
    mysql_select_db('databasename') or die(mysql_error());

    //Process
    if (isset($_POST['submit']))
    {

    $myUsername addslashes$_POST['username'] ); //prevents types of SQL injection
    $myPassword $_POST['password'];
    $myEmail $_POST['email'];

    $newpass md5($myPassword); //This will make your password encrypted into md5, a high security hash

    $sql mysql_query"INSERT INTO users (`id`, `username`, `password`, `email`) VALUES ('', '$myUsername','$newpass', '$myEmail')" )
            or die( 
    mysql_error() );

    die( 
    "You have registered for an account.<br><br>Go to <a href=\"login.html\">Login</a>" );
    }

    echo 
    "Register an account by filling in the needed information below.<br><br>";
    echo 
    '<form action="registeracc.php" method="post">';
    echo 
    '<table><tr><td>';
    echo 
    "<b>Username:</b></td><td><input type='text' style='background-color:#999999; font-weight:bold;' name='username' maxlength='15' value=''></td></tr>";
    echo 
    "<tr><td><b>Password:</b></td><td><input type='password' style='background-color:#999999; font-weight:bold;' name='password' maxlength='15' value=''></td></tr>";
    echo 
    "<tr><td><b>Email Address:</b></td><td><input type='text' style='background-color:#999999; font-weight:bold;' name='email' maxlength='100' value=''></td></tr></table>";
    echo 
    "<input type='submit' name='submit' value='Register Account'></form>";
    ?>

    login.html
    Code:
    <html><head>
    <link href="default.css" rel="stylesheet" type="text/css" />
    </head><body bgcolor="tan">
    <center><h2>Administrator Control Panel</h2></center><br><br>
    
    <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#FFFFFF">
    <tr>
    <form name="form1" method="post" action="checklogin.php">
    <td>
    <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="tan">
    <tr>
    <td colspan="3"><strong>Administrator Login </strong></td>
    </tr>
    <tr>
    <td width="78">Username</td>
    <td width="6">:</td>
    <td width="294"><input name="myusername" type="text" id="myusername"></td>
    </tr>
    <tr>
    <td>Password</td>
    <td>:</td>
    <td><input name="mypassword" type="password" id="mypassword"></td>
    </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="Login"></td>
    </tr>
    </table>
    </td>
    </form>
    </tr>
    </table>
    <center>
    <br><br>Return to</font><a href="index.html"><b>Website</b></a>
    </center>
    </body></html>

    checklogin.php
    PHP Code:
    <?php
    ini_set 
    ("display_errors""1");
    error_reporting(E_ALL);

    ob_start();
    session_start();
    $host="localhost"// Host name
    $username="username"// Database username
    $password="password"// Database password
    $db_name="databasename"// Database name
    $tbl_name="users"// Table name

    // This will connect you to your database
    mysql_connect("$host""$username""$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");

    // Defining your login details into variables
    $myusername=$_POST['myusername'];
    $mypassword=$_POST['mypassword'];
    $encrypted_mypassword=md5($mypassword); //MD5 Hash for security
    // MySQL injection protections
    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword);
    $myusername mysql_real_escape_string($myusername);
    $mypassword mysql_real_escape_string($mypassword);

    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error());
    $result=mysql_query($sql) or die(mysql_error());

    // Checking table row
    $count=mysql_num_rows($result);
    // If username and password is a match, the count will be 1

    if($count==1){
    // If everything checks out, you will now be forwarded to admin.php
    $user mysql_fetch_assoc($result);
     
    $_SESSION['user_id'] = $user['id'];
    header("location:admin.php");
    }
    //If the username or password is wrong, you will receive this message below.
    else {
    echo 
    "Wrong Username or Password<br><br>Return to <a href=\"login.php\">login</a>";
    }

    ob_end_flush();

    ?>

    logout.php
    PHP Code:
    <?
    session_start
    ();
    session_destroy();
    ?>
    You have successfully logged out of the control panel.<br><br><br>
    Return to <a href="login.html">Login</a>

    admin.php
    PHP Code:
    <?php
    mysql_connect
    ('localhost''username''password') or die(mysql_error());
    mysql_select_db('databasename') or die(mysql_error());

    session_start();
    //If your session isn't valid, it returns you to the login screen for protection
    if(empty($_SESSION['user_id'])){
     
    header("location:login.html");
    }
    ?>
    <head>
    <link href="default.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <?php

    if (isset($_GET["x"])) {
        
    $x explode(":",$_GET["x"]);

        switch(
    $x[0])
        {
            case 
    'next':
                
    next();
            break;

     }
    }
    else { 
    start(); }

    //Main Admin Homepage
    function start()
    {
      echo 
    '<div id="fulladmin">';
      echo 
    '<div id="adminleft">';
      
    //Add a function and change this line to it.
      
    echo '<br><center><a href="admin.php?x=next"><font color=white>Test Page</font></a></center><br></div>';

    echo 
    '<div id="adminright"><center><h1>Administrator Control Panel</h1><br><br>';
    echo 
    'Welcome to your control panel. Click a link on the left side to continue.<br><br>';
    echo 
    '</center></div></div>';
     }
     
     
    //A Blank second page
    function next()
    {
      echo 
    '<div id="fulladmin">';
      echo 
    '<div id="adminleft">';
      
    //Add a function and change this line to it.
      
    echo '<br><center><a href="admin.php?x=next"><font color=white>Test Page</font></a></center><br></div>';

    echo 
    '<div id="adminright"><center><h1>Administrator Control Panel</h1><br><br>';
    echo 
    'This is the second page.<br><br>';
    echo 
    '</center></div></div>';
     }

    ?>
    <div id="adminright"><center><br><br><br><br>Return to main <a href="admin.php"><font color="red">Control Panel</font></a>, or you can <a href="logout.php"><font color="red">Log Out</font></a></center></div>
    </body>

    default.css
    PHP Code:
    body {
        
    background-imageurl(images/bg.jpg);
        
    text-alignjustify;
        
    font-family"Trebuchet MS"ArialHelveticasans-serif;
        
    font-sizesmall;
        
    text-alignjustify;
        
    color#555E4F;
    }

    h1h2h3h4h5 {
        
    margin0;
            
    text-aligncenter;
            
    colorblack;
    }


    {
        
    color#666666;
        
    text-decorationnone;
    }

    a:hover {
        
    color#555E4F;
        
    text-decorationnone;
    }

    input[type="text"]
    {
      
    background-color#CDBA96
    }

    input[type="password"]
    {
      
    background-color#CDBA96
    }

    #fulladmin {
      
    width100%
      
    height100%
    }

    #adminleft {
        
    floatleft;
        
    width20%;
        
    text-transformuppercase;
        
    font-weightbold;
        
    font-size14px;
        
    color#323B2E;
        
    background-color#555E4F;
    }

    #adminright {
        
    floatright;
        
    width80%;
        
    background-color#CDCD96;

    __________________________________________________________

    Now just go to registeracc.php in your browser and type in your details and submit. Then go to the login page, put it in, and you will be taken into the administrator control panel, which you need to make custom.

    Oh and also in the PHP files, put your username, password, and database name in all of those.
    Last edited by masterofollies; 06-30-2009 at 08:27 PM.
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Why not use mysql_real_escape_string in registeracc.php for the username? md5 with salting would be better to use for the passwords. This isn't quite right
    PHP Code:
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'" or die(mysql_error());
    $result=mysql_query($sql); 
    It should be
    PHP Code:
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
    $result=mysql_query($sql) or die(mysql_error()); 
    Although in a site that is out of development, errors shouldn't be displayed as they can be security risks. Why the need for the output buffer on checklogin? Thats normally used if you want to send headers after you've written content to the page. Also how do you determine if the user is and admin or not or is the script simply meant as a login for an administrator and no other users?
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #3
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    I am sorry that the script isn't up to your standards. As stated it is a simple admin login script, and it does work. Also I said the code is a bit messy.

    If someone wishes to figure out if they are admins or regular users, you put the following field in your users table.

    Field Name: authlevel
    Type: smallint
    Length: 1
    Default: 0

    If you are admin, change it to a 1, all others would be 0.

    This is for administrators only, so there would not be any other users in it. If you wish to build a multi-user control panel, then yes, authlevel is required.
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #4
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    So, it's for administrators only, with a single (zero) levels of authentication... yet there is a form allowing anyone to register?

  • #5
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by masterofollies View Post
    I am sorry that the script isn't up to your standards. As stated it is a simple admin login script, and it does work. Also I said the code is a bit messy.
    I wouldn't have said anything if you pointed out the security issues to begin with which you should have done according to the posting guidelines for this particular forum.

    http://www.codingforums.com/showthread.php?t=71868

    I don't think a user of the forums should come on here use something that is insecure but didn't know because no one told them and then their site gets hacked or something.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #6
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    @kbluhm, I forgot to mention. Please delete the registeracc.php when you are done creating users. It's a good idea to keep a copy on your computer in case you need it again.

    @Aero, There is nothing unsafe about it, this is secure, once registeracc.php is deleted, why would you need to add an extra 1,000 lines of security? It's simply for creating your admin accounts and going bye bye. The person who uploads the script is the only person who knows about it.

    If it wasn't secure I wouldn't have posted it.
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #7
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,861
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    If it's for a single user, then an http authentication would be much easier to implement.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #8
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    That blocks the whole website from being viewed, this is only for the admin control panel.
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #9
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,861
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    That blocks the whole website from being viewed
    No. Just include something like the following at the top of the required pages to protected.
    PHP Code:
    <?php
    if ($PHP_AUTH_USER != "mysuser"
       
    or $PHP_AUTH_PW != "mypass"):
     
    // Bad or no username/password.
     // Send HTTP 401 error to make the
     // browser prompt the user.
     
    header("WWW-Authenticate: " .
            
    "Basic realm=\”Protected Page: " .
            
    "Enter your username and password " .
            
    "for access.");
     
    header("HTTP/1.0 401 Unauthorized");
     
    // Display message if user cancels dialog
     
    ?>
    Last edited by abduraooft; 07-01-2009 at 04:37 PM.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #10
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,079
    Thanks
    2
    Thanked 320 Times in 312 Posts
    next() is a php built in function since php4. The following function definition in admin.php produces a fatal runtime error and prevents admin.php from working -

    function next()


    There is also a link in checklogin.php to login.php. login.php does not exist.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #11
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    Delete this whole topic
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #12
    WA
    WA is offline
    Administrator
    Join Date
    Mar 2002
    Posts
    2,596
    Thanks
    2
    Thanked 19 Times in 18 Posts
    masterofollies, since there are other people's replies added to this thread already, I can't delete the thread. If there's personal or sensitive info you need help editing out, let me know.
    - George
    - JavaScript Kit- JavaScript tutorials and 400+ scripts!
    - JavaScript Reference- JavaScript reference you can relate to.

  • #13
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by masterofollies View Post
    @Aero, There is nothing unsafe about it, this is secure, once registeracc.php is deleted, why would you need to add an extra 1,000 lines of security?

    If it wasn't secure I wouldn't have posted it.
    If for whatever reason someone found the admin page then it would be a security risk. Addslashes does not prevent all mysql injection. mysql_real_escape_string does. That is what it was designed to do.

    http://shiflett.org/blog/2006/jan/ad...-escape-string
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #14
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,079
    Thanks
    2
    Thanked 320 Times in 312 Posts
    Since we are discussing security problems, the lines of code being used for security in admin.php or any other page the following three lines of code is used on -

    PHP Code:
    if(empty($_SESSION['user_id'])){
     
    header("location:login.html");

    don't provide any security for the remainder of the code on the page. Without an exit/die statement or an else {} conditional statement, the remainder of the code is still executed and a hacker can access any form or form processing code protected by those three lines of code. Why, you might ask? A header() redirect is executed by a browser. All you have to do is ignore the redirect, which most bot scripts do by default.

    How to test this? Execuite the Example 1 code found at the following php.net link, modified with the URL of a protected page, without being logged in, then look in the file that is produced and you will see that the remainder of the code on the page was executed -
    http://us2.php.net/manual/en/curl.examples-basic.php

    Every header() redirect must do something to prevent the remainder of the code on the page from being executed. An exit/die is the simplest way. You can also use an else {} around the remainder of the code on the page.
    Last edited by CFMaBiSmAd; 07-01-2009 at 08:17 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    fl00d (07-02-2009)

  • #15
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    Again, I want all of this deleted, don't want my scripts on this forum.
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •