webdev.terion

So I have this login information passing parameters in the url to the next
page (this is on a intranet app) which I thought was no big deal until a
wise crack graphics guy decided to hack it because he could by changing the
?adminID= until he got one that worked...he didn't do anything except alert
my boss so now I have to hide this info how does one do this? Once again I
am not a programmer just inherited the job....and the code...
Here is the login page code:

<?php
if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else
{$UserName = '';}
if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else
{$Password = '';}

$msg = '';

if (!empty($UserName)) {

$sql = "SELECT * FROM admin WHERE UserName='$UserName' and
Password='$Password'";
$result = mysql_query ($sql);
$row = mysql_fetch_object ($result);

If (mysql_num_rows($result) > 0) {
$_SESSION['AdminLogin'] = "OK";
header ("Location: Main.php?AdminID=". $row->AdminID);
} else {
$msg = "Invalid Login";
}
}

?>

<HTML>

<HEAD>
<TITLE>Work Order System - Administrative Section</TITLE>
<LINK REL="STYLESHEET" HREF="inc/style.css">
<script language="JavaScript">
<!--
function leftTrim(sString) {
while (sString.substring(0,1) == ' ') {
sString = sString.substring(1, sString.length);
}
return sString;
}

function chkData1(objForm) {

objForm.UserName.value = leftTrim(objForm.UserName.value);
if (objForm.UserName.value.length == 0) {
alert("Please enter your User Name.");
objForm.Email.focus();
return false;
}

objForm.Password.value = leftTrim(objForm.Password.value);
if (objForm.Password.value.length == 0) {
alert("Please enter a your Password.");
objForm.Password.focus();
objForm.Password.select();
return false;
}
return true;
}

//-->
</script>

</HEAD>

<BODY LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">
<TABLE WIDTH="780" BORDER="0" CELLSPACING="0" CELLPADDING="0">

<TR>
<TD>&nbsp;</TD>
</TR>
<TR>
<TD ALIGN="CENTER"><B>Work Order System - Administrative
Section</B><BR><BR></TD>
</TR>
<TR>
<TD>
<?php
If (!empty($msg)){
echo "<div class=\"cl_Error\">". $msg ."</div>";
}
?>

<form name="form1" method="post" action="Index.php" onSubmit="return
chkData1(this)">
<TABLE WIDTH="300" BORDER="0" CELLSPACING="0" CELLPADDING="2" ALIGN="center"
bgcolor="#CCCCCC">
<TR>
<TD HEIGHT="22"><div class="admin_Main">Username:</div></TD>
<TD HEIGHT="22"> <INPUT TYPE="text" NAME="UserName"></TD>
</TR>
<TR>
<TD><div class="admin_Main">Password:</div></TD>
<TD><INPUT TYPE="password" NAME="Password"></TD>
</TR>
<TR>
<TD colspan="2" align="center"><INPUT TYPE="submit" VALUE="Login">
</TD>
</TR>
</TABLE>
</form>
<BR>

Thanks guys and gals!

ash

You shouldn't be passing info like that over the URL; use sessions
instead.

I saw a shopping cart system once that passed the price of items over
the URL, and when I found out and alerted them, we won the contract for
a rebuild and then got accused of hacking by their previous web guys
(who incidentally built the system!)


Ash
http://www.ashleysheridan.co.uk

stuttle

No need to pass AdminID in the URL at all. Store that ID in the
AdminLogin session variable instead of "OK" and you can get it from
there on every subsequent page.

-Stut

--
http://stut.net/

tedd.sperling

Ash:

Even if you did hack the site, all that means is that site was
hack-able and thus should have been fixed anyway.

In my mind, hacking a site (without doing damage) is a good
introduction to a client.

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

apseudoutopia

*Ahem*....You mean 'cracking'? :-P

rbenson

haha I think he does...

ash

I wouldn't really have called it either. When someone mentions hacking,
I think back to that wonderful old film with Angelina Jolie before she
went all weird! I think it can make a good impression, as it shows you
at least know more than the last developers they used, and knowledge
ain't a bad thing.


Ash
www.ashleysheridan.co.uk

stuttle

Please keep the discussion on the list, or offer me a contract.

That script doesn't use it except to pass it through to Menu.php and
Welcome.php.

-Stut

--
http://stut.net/

tedd.sperling

*Ahem*... You mean to stick your tongue out at me? That's one
definitions of using :-P

You see, there's all sorts of definitions for everything.

When I say "Hack a site" I mean to do something to get the site to
provide an unintended result as expected by the author.

Much like using CSS "Hacks" to get browsers to do something that was
not intended by the original designers.

On the other hand, my understanding of "cracking" means to "crack"
some type of encryption. Thus, the reason why I did not say "cracking
the site" instead of "hacking the site".

Cheers,

tedd

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com

stuttle

Hacking: Getting something to do something it was not designed to do.

Cracking: Getting something to do something it was specifically
designed to prevent.

IMHO.

-Stut

--
http://stut.net/