Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Modules
Author Message
Donovan
Client


Joined: Oct 07, 2003
Posts: 735
Location: Ohio

PostPosted: Thu Oct 06, 2005 1:14 pm Reply with quote

I am taking another look at how I have protected my private pages within my MILPACS module. Currently I have authentication being performed by NSN groups.

Code:
if (!in_groups(23)) {   

etc
etc


But there are ways to exploit this. I want to use sessions tied to a password. Here is what I have so far for my drills page and could use some advice.


Code:
OpenTable();


//show the form

?>
<td align="center" bgcolor="#777777"> <b><font color="#000000"> All soldiers are required to enter the password.</font></b></td>
<form name="drillaccess" action="<?$PHP_SELF?>" method="POST">
<div>Password: <input type="password" name="drillpass" />
<input type="hidden" name="op" value="AccessDrill"/>
<input type="submit" name="submit" value="Login" /><br>
</div>
</form>

<?php
CloseTable();
if ($op == "AccessDrill") {
// process the login
$result = $db->sql_query ("SELECT drillpass FROM " . $prefix . "_milpacs_main");
if (!$result) {
    echo("<p>Error performing query: " . mysql_error() . "</p>");
    exit();
} else {
$drillpassword = $db->sql_fetchrow($result);

}
if ($drillpassword == "drillpass") //they got it right, let's go on
{
session_start();
session_register("drillsession"); //set a variable for use later
$id = session_id(); //let's grab the session ID for those who don't have cookies
$url = "modules.php?name=MILPACS&file=viewdrill?sid=" . $id;
header($url);
}
else //the dummy got the password wrong, so tell them their an idiot. :)
{
etc
etc


Am I in the ballpark? Currently I am not using md5 or any password function. I just want to get it to work first before I add encryption.

Right now it tells me:

Code:
<td><center><h3>Password Is Invalid!<h3></center><td/>

</tr>
<tr>
<td align="center" bgcolor="#777777"> <b><font color="#000000">Access restricted to active duty soldiers only.</font></b></td>


and refreshes back to the form drillaccess.php

Any help is much appreciated.
 
View user's profile Send private message Visit poster's website ICQ Number
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Modules

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©