Webmaster-Talk.com > Coding Talk > PHP Forum > Is this a secure password script?

Reply
Is this a secure password script?
Old 10-09-2005, 05:04 AM Is this a secure password script?
Skorch's Avatar
Super Talker

Posts: 115
Location: California
Talkupation: Skorch is on a distinguished road
I am writing a script and was wondering if I used this code would the page be unaccessable to unauthorized visitors.

It uses two sign in pages
the first page(signin.php) is a form requesting name and password The action is set to a different page(allow.php) and then a secure page(securepage.php) in a subfolder called Admin

signin.php
HTML Code:
<form action="allow.php" method="post">
<input type="hidden"  value" 62">
<input type="text" value="Name is" name="name">
<input type="password" value="password is" name="pass">
</form>
end sigin.php
File=allow.php
PHP Code:
if($_POST==62){
RUN SQL STATEMENT}
if (the user is in db records){ echo'<meta http-equiv="refresh" content="5;http://mysite.com/Admin/securepage.php">';
}else{
echo 'Invalid sign-in <a href="signin.php">here</a>';
}else{//this section code should be executed if my form wasn't filled out previously
echo 'Please sign in <a href="signin.php"> Here</a>';}
end allow.php 

file=secure.php
PHP Code:
<?php
$page='http://mysite.com/allow.php';
if($_SERVER['HTTP_REFERRER'] != $page)
{echo '<meta http-equiv="refresh' content="1;http://mysite.com">';
}else{load requested page}

then on every other page in my admin folder

$page='http://mysite.com/Admin/*'; 
if($_SERVER['HTTP_REFERRER'] != $page)
{echo '<meta http-equiv="refresh' content="1;http://mysite.com">;
}else{load requested page}

?>
__________________
Check out my Cliff Diving website!
Skorch is offline
Reply With Quote
View Public Profile Visit Skorch's homepage!
 
When You Register, These Ads Go Away!
Old 10-09-2005, 06:43 AM
stOx's Avatar
Machine

Latest Blog Post:
Worlds Smallest Car - Peel P50
Posts: 2,114
Name: Matt. (>',')>
Location: London, England.
Talkupation: stOx has much to be proud ofstOx has much to be proud ofstOx has much to be proud ofstOx has much to be proud ofstOx has much to be proud ofstOx has much to be proud ofstOx has much to be proud ofstOx has much to be proud of
The obvious problem i see is the use of the referrer to check where people have come from.
It causes two problems, the referrer can be fake easily, and some security software prevent peoples browsers from sending the referrer.
So some people who are allowed to view the page will be prevented from seeing it because thier browser hasnt sent the referrer.

somthing simple would be just to have a form post to a php page and then do...
PHP Code:
<?php

$posted_pass $_POST['password'];

if($posted_pass == "a-password";
{
echo "Contents of the page";
}
else
{
echo "Wrong password fool";
}
?>
stOx is offline
Reply With Quote
View Public Profile Visit stOx's homepage!
 
Old 10-09-2005, 06:19 PM
asm
Extreme Talker

Posts: 217
Location: UK.Lancashire(true)
Talkupation: asm is on a distinguished road
hmmm... the part that stands out to me is there is no checking for special characters such as ' " + ; that can be used to attack your database, all posted data should be thoroughly checked before going into the database
asm is offline
Reply With Quote
View Public Profile Visit asm's homepage!
 
Reply     « Reply to Is this a secure password script?
 
Previous Thread | Next Thread Webmaster-Talk.com > Coding Talk > PHP Forum > Is this a secure password script?

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Webmaster Resources Marketplace:
Software Development Company | Webhosting.UK.com | Text Link Brokers 


   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML

 


Page generated in 0.12567 seconds with 12 queries