PDA

View Full Version : Is this a good way to protect pages?

The Letter J
Tue 25th Nov '03, 8:01pm
I just want to know if this is a secure enough way to keep someone out of pages I want protected.

Here is the function:

<?php

function session_check()
{
if (isset($_SESSION['username'],$_SESSION['password']) && is_numeric($_SESSION['userid']) && $_SESSION['auth'] == 1)
{
$sql = "SELECT * FROM " . USERS_TABLE . " WHERE username = '" . $_SESSION['username'] . "' AND password = '" . $_SESSION['password'] . "'";
$result = sql_query($sql);
$number = sql_num_rows($result);

if ($number == 1)
{
return true;
} else
{
echo '<p class="center">The username/password combination is invalid.</p>';
}
} else
{
echo '<p class="center">You are not authorized to access this page.';
}
}

?>

Here is how the fuction is used:

<?php

session_start();

if (session_check() === true)
{
echo 'Secret Stuff';
}

?>
merk
Wed 26th Nov '03, 12:26am
I just want to know if this is a secure enough way to keep someone out of pages I want protected.

Here is the function:

<?php

function session_check()
{
if (isset($_SESSION['username'],$_SESSION['password']) && is_numeric($_SESSION['userid']) && $_SESSION['auth'] == 1)
{
$sql = "SELECT * FROM " . USERS_TABLE . " WHERE username = '" . $_SESSION['username'] . "' AND password = '" . $_SESSION['password'] . "'";
$result = sql_query($sql);
$number = sql_num_rows($result);

if ($number == 1)
{
return true;
} else
{
echo '<p class="center">The username/password combination is invalid.</p>';
}
} else
{
echo '<p class="center">You are not authorized to access this page.';
}
}

?>

Here is how the fuction is used:

<?php

session_start();

if (session_check() === true)
{
echo 'Secret Stuff';
}

?>
You could use a die; call after echoing out permission denied, i would assume thats all you are looking for?