Enhancing Security for the Admin Browser
| Introduction.
We are about to make use of a $_SESSION variable in order to increase the
likelihood that only authorized administrators can gain access to the
Admin Browser and any of its supporting pages. The first thing we need to do is create a simple table in our database called administrators that will retain
for the valid admins. The first page you need to copy, upload and execute just once should be called create_administrators_table.php. |
| <html> <head> <title>Creating a Table in MySQL Using PHP</title> </head> <body> <?php // assign the values for database access $host = "localhost"; $user = "your_user_name"; $password = "your_password"; $db_name = "database_name"; $table_name = "administrators"; // connecting to the database on battcave.com $link = mysql_connect($host, $user, $password); // constructing the query string $query_string = "CREATE TABLE $table_name (admin_id MEDIUMINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, user_name VARCHAR(20) NOT NULL, password VARCHAR(16) NOT NULL)"; if (mysql_db_query($db_name, $query_string, $link)) {
}
} |
| After you have executed this you can enter whatever user_names and passwords you would like. I have entered the following. |
| You should do something similar for when you turn in
your links for me to test. That way you don't have to remember to
send me usernames and passwords. Now we need to construct the very simple login form which will be called admin_login.html. |
| <html> <head> <title>Form for Validating an Administrator</title> </head> <body bgcolor = "00bbdd" text="004466" link="004466" vlink="007799"> <h2>Login Form for Administrators</h2> <form action="check_login.php" method=post> <table> <tr> <td><font size = 4 color=004466>Username:</font> </td> <td><input type=text name="txt_username" size=20> </td> </tr> <tr> <td><font size = 4 color=004466>Password:</font> </td> <td><input type=text name="txt_password" size=20> </td> </tr> <tr> <td> </td> <td></td> </tr> <tr> <td colspan = 2 align = center><input type = submit name="submit" value="submit"> </td> </tr> </table> </form> </body> </html> |
| This form should look like the following. |
The processing script for this login needs to
The following is the check_login.php. |
| <?php // assign the values for database access $host = "localhost"; $user = "desaighuweb"; $password = "globekid"; $db_name = "desaighuweb"; $table_name = "administrators"; // connecting to the database on battcave.com $link = mysql_connect($host, $user, $password); // constructing the query string $query_string = "SELECT * FROM $table_name WHERE (user_name = '$txt_username' AND password = '$txt_password')"; // executing the query and returning the results $result_set = mysql_db_query($db_name, $query_string, $link); if (mysql_num_rows($result_set) > 0) {
}
} |
| The last thing we need to do is develop the code that
will be included in all of the other pages in the web to redirect any
users who try to go directly to a page back to the login form. This
way, everyone needs to have logged in for each session. You should call the file valid_user.php. |
| <?php session_start( ); // checking to make sure the admin has logged in if ($_SESSION['valid_admin'] != 'valid') {
} |
| Include files can be done using the following command
in each PHP page include("valid_user.php"); This command should be placed at the very beginning of all the other files.
Include files must be configured so that their PHP code is delimited. Whatever is included within PHP in another file will automatically be assumed to be HTML unless otherwise delimited within the file. While there are other options to get this include
The distinctions between them are unimportant at this juncture. |