Alright, first let's have a look at what you have right there. Worry about the database later.
PHP Code:
//Check to see if somebody logged in, yeah?//
if (isset($_POST)) {
$un = $_POST['username'];
$pass = $_POST['password'];
}
So right now any user that sends a post to this page will get the part above. So for good practice you'll want to check to make sure that both the $_POST['username'] and $_POST['password'] isset() in that if statement.
If those two aren't set, you're going to get notices from PHP when calling them up VIA POST. Next..
PHP Code:
//Change this to your username and password
if ($un == Username && $pass == Password) {
setcookie ('user');
header('Location: /admin/index.php');
}
I'd put the username and password in quotes when doing your comparisons. Makes for an easier life in general. If the 'login' is successful you set a cookie 'user' and redirect the user to /admin/index.php. Because no expiration time isset on the cookie, it will expire when the cookie is removed by your script, by the user manually, or when the browser closes. To remedy this, simply give an expiration to the cookie. (Syntax may be found here
setcookie)
PHP Code:
elseif(isset($_COOKIE['user'])){
header('Location: /admin/index.php');
}
Now I'm not entirely sure why this is here. Basically all it's doing is catching everyone that fails the username/password test (or who did not post to the page) but has a cookie 'user' set and sends them to the /admin/index.php page. You have to remember that a malicious end-user can set,modify and delete their own cookies. So if they logged in once they'll know what they need to do to get back in if they look at their cookies. (or just randomly set a user cookie). Either way, I wouldn't leave it to cookies for security.
Also, if a user enters in an incorrect password or just goes straight to this page, they receive a blank screen. Why? Because this script isn't handling what happens to them if they don't match the username/password and not have a cookie 'user' set.
So this is what I would do on a database independent login_process.php script:
Username / Password : reid / workman
PHP Code:
// Set the login user here:
$login_username="reid";
$login_password="workman";
// Quick Cookie Check to see if user is logged in.
// If the cookie 'user' exists and the MD5(IP+5) matches the cookie 'user'
// Then jump him to the admin page.
// Explanation for MD5(IP+5) coming up..
if(isset($_COOKIE['user']) && md5($_SERVER['REMOTE_ADDR']+5)!=$_COOKIE['user']){
header('Location: /admin/index.php');
exit();
}
// Look for Posted Username and Password
if (isset($_POST['username'])&&isset($_POST['password'])) {
if ($_POST['username'] == $login_username && $pass == $login_password) {
// Set cookie 'user'
// Giving the MD5ed value of the user's IP+SomeNumber(5). This way the
// user seesgibberish and doesn't quite know what's going on here.
// Setting cookie expiration time in seconds (60s*60m*24h = 1 day)
setcookie ('user',md5($_SERVER['REMOTE_ADDR']+5),time()+60*60*24);
// Toss them to the admin page
header('Location: /admin/index.php');
// Prevent any other scripts from executing
exit();
}else{
// Login Failed - Toss back to the login page with an error.
header('Location: /login.php?error=Incorrect+username+or+password.');
exit();
}
}else{
// No Username and Password field is set
// Assuming there is a /login.php
header('Location:/login.php');
}
Then on each page that you want protected:
PHP Code:
// If no cookie 'user' isset OR
// if cookie 'user' isset and the md5(IP+5) does not match the client..
// Jump them back to Login.
if(!isset($_COOKIE['user']) || (isset($_COOKIE['user']) && md5($_SERVER['REMOTE_ADDR']+5)!=$_COOKIE['user'])){
header('Location: /login.php');
exit();
}
Hope that helps you (or someone else) understand this. I'd look around for different resources on database connections. There are TONS of resources out there to help you learn what you need and Google is going to be your best friend getting there.
Good luck!
