Hey guys, I know I've been asking a lot of questions lately, but I really do appreciate all the help I've been getting from the site. I have been trying to build a secure backdoor login to my site. I wanted to have the administrator login to a part of the site that would have a unique id parameter every time he logged in so that random users could never access that part of the site.

I think the problem deals with the sessions in my code, but I'm not sure. Right now when I login it tells me that I have a redirect loop. I'm not sure how this is happening. I tried fixing it with making a for loop around the header function but it still doesn't work the way I want it to. If anybody could just point me in the right direction, I'd appreciate it so much.

PHP Code:

<?php
//Some random requires and functions were up here
session_start();
    if (isset($_POST["submit"]))
    {
        $sUser = $_POST["username"];        //Initialize with form's username
        $sPass = md5($_POST["password"]);    //Initialize with form's password
        $_SESSION['user'] = $sUser;
        $_SESSION['pass'] = $sPass;
    }
        
    if ($_SESSION['user'] == "admin")    //Check to make sure only admin can login
    {
        $sUser = $_SESSION['user'];
        
        $connect = mysql_connect($_PARAM["DatabaseServer"],$_PARAM["DatabaseUser"],$_PARAM["DatabasePass"]);    //Connect to mysql
        $selectDB = mysql_select_db($_PARAM["MainDatabase"],$connect);    //Connect to database
        
        $check = mysql_query("SELECT * FROM users WHERE username = '$sUser'");    //Select row
        if (!$check)
        {
            echo "mysql query error";    //Delete after done fixing the bugs
        }
        $INFO  = mysql_fetch_array($check);
        if (!$check)
        {
            echo "mysql fetech array error";    //Delete after done ficing the bugs
        }
        if ($_SESSION['pass'] == $INFO["password"])    //Check password with the one in the database
        {
            $sRandom = randomString(150);    //Initialize with a random string of numbers and letters, length 150
            $sLink = $_PARAM["WebsiteAddress"] . "backdoor/login.php?id=" . $sRandom;    //Create link
            for ($_SESSION['passthru'] = 0; $_SESSION['passthru'] < 1; $_SESSION['passthru']++)
            {
                header ("Location: " . $sLink);    //Redirect the page
            }
            $ID = $_GET["id"];                //Get the id
            if ($ID == $sRandom)            //Check id
            {
                echo "You've done it, and logged in!";
            } 
            else errorMessage("Sorry, an error occured");
        } 
        else errorMessage("Either the username or the password were wrong");
        
        mysql_close();
    } 
?>

My logic must be flawed somewhere, I just can't figure out where. Thanks

Could you not restrict access using access levels?

Give admin an access level of 5 and users a lower level.

I mean I could easily do that, but I already created all of the code and I feel as if something is wrong wit just one line in my code. I just don't know how to get the header to stop redirecting endlessly.

Try putting this

PHP Code:

 if ($_SESSION['user'] == "admin")    //Check to make sure only admin can login
    {
        $sUser = $_SESSION['user'];
        
        $connect = mysql_connect($_PARAM["DatabaseServer"],$_PARAM["DatabaseUser"],$_PARAM["DatabasePass"]);    //Connect to mysql
        $selectDB = mysql_select_db($_PARAM["MainDatabase"],$connect);    //Connect to database
        
        $check = mysql_query("SELECT * FROM users WHERE username = '$sUser'");    //Select row
        if (!$check)
        {
            echo "mysql query error";    //Delete after done fixing the bugs
        }
        $INFO  = mysql_fetch_array($check);
        if (!$check)
        {
            echo "mysql fetech array error";    //Delete after done ficing the bugs
        }
        if ($_SESSION['pass'] == $INFO["password"])    //Check password with the one in the database
        {
            $sRandom = randomString(150);    //Initialize with a random string of numbers and letters, length 150
            $sLink = $_PARAM["WebsiteAddress"] . "backdoor/login.php?id=" . $sRandom;    //Create link
            for ($_SESSION['passthru'] = 0; $_SESSION['passthru'] < 1; $_SESSION['passthru']++)
            {
                header ("Location: " . $sLink);    //Redirect the page
            }
            $ID = $_GET["id"];                //Get the id
            if ($ID == $sRandom)            //Check id
            {
                echo "You've done it, and logged in!";
            } 
            else errorMessage("Sorry, an error occured");
        } 
        else errorMessage("Either the username or the password were wrong");
        
        mysql_close();
    } 


within the

PHP Code:

  if (isset($_POST["submit"]))
    {
        $sUser = $_POST["username"];        //Initialize with form's username
        $sPass = md5($_POST["password"]);    //Initialize with form's password
        $_SESSION['user'] = $sUser;
        $_SESSION['pass'] = $sPass;

        // PUT CODE HERE
    } 


When you have submitted the form, are you redirecting back to the same page?

ok i fixed it, i put the if ($ID == $sRandom) statement as an else if at the end of the page. Thanks for the help though