1
I made an access login system, but I would like the user to be obliged to access it with the login and password, inhibiting direct access via url.
Anyone can access the page via URL by entering the address. I would like to inhibit this type of access, so that the user could only access the page via login and password!
I will be adding the codes created below:
Login Code:
<?php
session_start();
$_SESSION['logado'] = 1;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><?php include "../conexao.php"; ?>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Painel Adm. - Login</title>
<link href='http://fonts.googleapis.com/css?family=Oswald:400,300,700' rel='stylesheet' type='text/css' />
<link rel="stylesheet" type="text/css" href="css_login/style.css" />
</head>
<body>
<?php
$logotipo = $_POST['logotipo'];
$query = mysql_query("SELECT * FROM topo");
$res = mysql_fetch_array($query);
?>
<div id="logo" class="form bradius">
<div align="center" class="logo"><img src="../upload/<?php echo $res['logotipo'] ;?>" width="auto" height="58" /></div>
<div class="acomodar">
<form name="enter" method="post" action="" enctype="multipart/form-data">
<label for="login">Login: </label><input id="login" type="text" class="txt bradius" name="login" value="" />
<label for="senha">Senha: </label><input id="senha" type="password" class="txt bradius" name="senha" value="" />
<input type="submit" class="sb bradius" name="enter" value="Entrar" />
</form>
<?php
if(isset($_POST['enter'])){
$login = $_POST['login'];
$senha = $_POST['senha'];
$query = mysql_query("SELECT * FROM usuario WHERE login = '$login' AND senha = '$senha'");
$conta = mysql_num_rows($query);
if($conta == '0'){
echo "<script language='javascript'>window.alert('Usuario e senha nao corresponde!');</script>";
}else{
while($res = mysql_fetch_array($query)){
$id = $res ['id'];
$nome = $res ['nome'];
$login = $res ['login'];
$senha = $res ['senha'];
$nivel = $res ['nivel'];
if($nivel == 'admin'){
echo "<script language='javascript'>window.location='http://www.buziosnegocios.com.br/admin/painel/index.php?login=$login&senha=$senha';</script>";
}else{
echo "<script language='javascript'>window.alert('Erro ao acessar seu Painel Admin.!');</script>";
}}}}
?>
<!--acomodar-->
</div>
<!--login-->
</div>
</body>
</html>
Page to be inhibited to direct access via URL:
<?php
session_start();
if (!isset($_SESSION['logado']) || $_SESSION['logado'] !== 1){
header("Location: http://www.buziosnegocios.com.br/admin/index.php");
} else {
$username = $_SESSION['user'];
$idusername = $_SESSION['iduser'];
session_destroy();
exit;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Page</title>
<meta name="generator" content="WYSIWYG Web Builder 10 - http://www.wysiwygwebbuilder.com">
<link href="#.css" rel="stylesheet" type="text/css">
</head>
<body style="
background-color: #FFF;
color: #000000;
font-family: Arial;
font-size: 13px;
margin: 0;
text-align: center;">
<div id="container" style="
background-color: #FF6;
width: 1000px;
position: relative;
margin: 0 auto 0 auto;
text-align: left;">
<br>
Menu
<br>
</div>
</body>
</html>
If friends can help me inhibit direct access via URL, I would be very grateful.
A QUARREL to all for the attention.
Study about Sqlinjection and PDO, about the session is pure logic. Look for examples on youtube... An example of a Sqlinjection fault in your system is ... Put that in the user -> admin' OR 1=1#
– Hiago Souza
Then enter any password and you will have access to the system.
– Hiago Souza
To inhibit access as you asked, put under the Location a die.
– Hiago Souza