Quote:
Generally you don't pass user/pass in a querystring either ...instead use a submit form..the request should be the same regardless..and like he says..if you dont have a value when you check the request..then redirect the page back to the login..or error


Well as I have it set up now, it passes login info from a submit form to my admin.php. On the admin site before I generate any html it validates the username and password.

Should I be validating the login info on like another .php page then after that passes then going to the admin page.

IE

login.htm (submit form) -> validate.php -> admin.htm

I guess my question is trying to figure out to not let admin.htm appear to users at all unless the password is validated. Yeah my steps from login.htm to validate.php I can do. But I can still directly goto admin.htm and bypass the login process.

Id post my code but my schools servers are all down for maintenance.

Quote:

For the login ... you have to check for the password post form variable if it is not there ... meaning someone went directly to the process page ... you should redirect to an error page, or back to the login page & present the user with some message.


So you are saying that my actual admin.htm needs to have a check and if it fails take them away to another page?

Also zarad mentioned sql injection. Some guy in my class just did that to my professors website and we were able to just login with like admin access. How can you prevent that?


could I just add a redirect
Code:
<?php
header( 'Location: http://www.yoursite.com/new_page.html' ) ;
?>

in the code that validates the password and just take people away that dont have the password?

Last edited by Ithkrul; 06/26/09 08:48 AM.