So I need to make the admin pages for this new site protected by login. Obviously I dont want evil-doers or terrorists adding or stealing info from my database filled with Delishious goodies.

I did a good job of creating the login, and getting an appropriate respons and re-direct with the following script:

<?php
session_start();
session_register('auth');
require_once('../Connections/$BriuyMySQLphp');
mysql_select_db($database_$BriuyMySQL, $BriuyMySQL);
$query_Recordset1 = "SELECT pass FROM password WHERE pass='$pass'";
$Recordset1 = mysql_query($query_Recordset1, $BriuyMySQL) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$num = mysql_num_rows($Recordset1);
if ($num == 1) //Login word found
{
$auth="yes";
$logname=$pass;
$today = date("Y-m-d h:m:s";
$sql = "INSERT into login (loginName,loginTime)
VALUES ('$logname', '$today')";
mysql_query($sql) or die("Cant execute Query.";
header("Location: login.htm";
}
else // Password icorrect
header("Location: private.htm";
?>


So like a happy script "auth"=yes and I get passed on to the "private.htm" with the correct login. JOY.

I was so stoked when the login worked, Imagine my dismay when I realized I could still bypass the login page to get there. I have tried to secure my admin pages with :

<?php
session_start();
if (@$auth !="yes"8
{
header("Location: index.htm";
exit();
?>

I get no error messages, no nada!, it just lets me in whether or not I logged in. FOOEY.

Am I off base? Anyone see an obvious error or omission, Is the session not really starting or is my authorization header not working? Or am I a helpless wannabe doomed to failure and shame?

Thanks for your input in advance

<?php
require_once('../Connections/$BriuyMySQLphp');
mysql_select_db($database_$BriuyMySQL, $BriuyMySQL);
$query_Recordset1 = "SELECT pass FROM password WHERE pass='$pass'";
$Recordset1 = mysql_query($query_Recordset1, $BriuyMySQL) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$num = mysql_num_rows($Recordset1);
if ($num == 1) //Login word found
{
session_start();
$_SESSION["LOGGED_IN"] = true;
$logname=$pass;
$today = date("Y-m-d h:m:s";
$sql = "INSERT into login (loginName,loginTime) VALUES ('$logname', '$today')";
mysql_query($sql) or die("Cant execute Query.";
# i assume that login.htm is a password protected page
# if not you need to rename this
header("Location: login.htm";
exit;
}
else
{ # you forgot this opening bracket!
// Password icorrect
# i assume that private.htm is your cutom error page
# if not you need to rename this
header("Location: private.htm";
exit;
} # you forgot this closing bracket!

?>

this snippet is the authentication script for the header of your password protected pages


<?php

session_start();
# you had an @ before $auth which is for surpressing function error messages
# you had an 8 after "yes" i dont know if that was a typo or what lol
# you should have had a parse error if was in your script

# if session LOGGED_IN isn't true redirect them
if (!$_SESSION["LOGGED_IN"])
{
header("Location: index.htm";
exit;
} # you forgot this closing bracket!
?>

Use of $_SESSION (or $HTTP_SESSION_VARS with PHP 4.0.6 or less) is recommended for improved security and code readablity. With $_SESSION, there is no need to use the session_register(), session_unregister(), session_is_registered() functions. Session variables are accessible like any other variables.

if those changes dont work let me know <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>

also, i would have done it slightly different to the way you've set your code out for example your SQL SELECT statement "SELECT pass FROM password WHERE pass='$pass'" i would have a table called login with a username column and a password column done "SELECT password from TBL_LOGIN WHERE username = '$username'" then checked to see if the password supplied from the login form matches the password taken from the table