Code Forums - View Single Post

superbeastie · 08-27-2005, 12:05 PM

OK, I am helping a freind who is the leader of a clan in a online game. I am making some scripts to make life easier for him, the ones I am doing at the moment are to view applications from a database and he cna then choose accepted, failed etc.

Anyway I have created a simple login for him which lets him gain access, but everyone else wont gain access, so What I want to know is how I can make it more secure (I don't want an overly complex way (as its nothing that big)).

Code:

<?php
header( 'HTTP/1.0 401 Unauthorized' );
header( 'WWW-Authenticate: Basic realm="Applications"' ); 
//start session
session_start();

// connect to the mysql server
$conn = @mysql_connect("tom","****","harry")
or die ("Could not connect to mysql table");

// select the database
$rs=@mysql_select_db("tom",$conn)
or die ("Could not select database");

//create query
$sql="select * from adminuser where admin='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'";


$rs=mysql_query($sql,$conn) or die(mysql_error());
//if ok

if($rs && mysql_num_rows($rs))
{
$_SESSION['username'] = $PHP_AUTH_USER;
header("Location:appmain.php");
}
else
{
echo"Incorrect Password";
}
?>

On a side note on "admin pages" if a user tries and views it, I set it so it echos the exact same code as the sites 404 page (to make it look like the page does not exist). Do you think that 404 trick is good?

08-27-2005, 12:05 PM	#1 (permalink)
superbeastie Registered User Join Date: Apr 2005 Posts: 6	Help making a login script more secure OK, I am helping a freind who is the leader of a clan in a online game. I am making some scripts to make life easier for him, the ones I am doing at the moment are to view applications from a database and he cna then choose accepted, failed etc. Anyway I have created a simple login for him which lets him gain access, but everyone else wont gain access, so What I want to know is how I can make it more secure (I don't want an overly complex way (as its nothing that big)). Code: <?php header( 'HTTP/1.0 401 Unauthorized' ); header( 'WWW-Authenticate: Basic realm="Applications"' ); //start session session_start(); // connect to the mysql server $conn = @mysql_connect("tom","***","harry") or die ("Could not connect to mysql table"); // select the database $rs=@mysql_select_db("tom",$conn) or die ("Could not select database"); //create query $sql="select from adminuser where admin='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'"; $rs=mysql_query($sql,$conn) or die(mysql_error()); //if ok if($rs && mysql_num_rows($rs)) { $_SESSION['username'] = $PHP_AUTH_USER; header("Location:appmain.php"); } else { echo"Incorrect Password"; } ?> On a side note on "admin pages" if a user tries and views it, I set it so it echos the exact same code as the sites 404 page (to make it look like the page does not exist). Do you think that 404 trick is good?