0

I made website login with php and html. Code:

<?php

session_start();
$user="root";
$host="localhost";
$password="";
$database="mb_dusnionys_login";
$usertable="nariai";

mysql_connect ($host, $user,$password) or die ("negalima");

mysql_select_db ($database)or die (mysql_error());


$myusername=$_POST['username'];
$mypassword=$_POST['password'];


$sql="SELECT * FROM {$usertable} WHERE username='{$myusername}' AND password='{$mypassword}'";

$result = mysql_query($sql);
$count=mysql_num_rows($result);

if($count==1){

$_SESSION ["username"]=$myusername;
$_SESSION ["password"]=$mypassword;
$_SESSION ["userrecord"]=mysql_fetch_assoc($result);

header ("location: /nariu_turinys/index.html");
}
else {
echo "Netinkamas vartotojo vardas arba slaptažodis. Grįžkite atgal ir bandykite iš naujo";
}

The conseption of my website: There is main index file with button and login form.Button redirects without login to other index file and login form redirects to third index file with requirement of username and pasw. In this directory are main parts of my website. Everything is ok when I use login form for log in website but if when I'm loged in and copy url to some part of page and paste in other browser or other tab I can reach this part without login. Question is that How to make these parts not available without login?

user2290637
  • 9
  • 3
  • 6
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 22 '13 at 13:44
  • 2
    Don't store plain text passwords! [Store them safely with a hash](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). – Quentin Apr 22 '13 at 13:47
  • Could you tell about this more detailed and how can I do that ? – user2290637 Apr 22 '13 at 14:13

2 Answers2

0

You need to store some form of authentication token (you are already doing this using a session cookie) on the client, and then check that the user accessing each page is authenticated and authorised to view the page (and give a 403 response with a login form or suitable error message if they are not).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

You should add a function to each interior page to check the session data you're storing at log in. If this data doesn't match the stored data, then kick the user back to the login page with an error message.

-Edit-

An example function:

function isLoggedIn()
{
    if(isset($_SESSION['username']))
        $sql="SELECT * FROM {$usertable} WHERE username='{$_SESSION['myusername']}' AND password='{$_SESSION['password']}'";
    $result = mysql_query($sql);
    if(!$result)
    {
        logout();
    }
} else {
    logout();
}}
evilscary
  • 2,097
  • 5
  • 23
  • 33