Simple php admin page

[mami]

Hi

I am trying to make a simple php admin page that allows the user to login and set some variables in settings.php

Thanks

[JohnN]

PHP Code:

<?php

$admin['username'] = "username";
$admin['password'] = "password";

session_start();

if(isset($_SESSION['username']) && !empty($_SESSION['username'])){
//if theres currently a session


if($_SESSION['password'] == md5($admin['password'])){
//if the users session is untampered
echo"<h1>logged in!</h1>";


//this is the admin area, you need to tell us more about what you need help with here!

}else{
//probably a hacker

unset($_SESSION['username']);
unset($_SESSION['password']);
session_destroy();

echo"boo, you fail";

}

}else if(isset($_POST['username']) && isset($_POST['password'])){
//they're trying to login


if($_POST['username'] === $admin['username'] && $_POST['password'] === $admin['password']){
//if the logins correct

$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = md5($_POST['password']);
//set up a session
 
}else{

echo"login failed!";
exit;

}

}else{
//they've just arrived
?>

<form name='login' method='post'>

username: <input type='text' name='username'><br />
password: <input type='password' name='password'><br />

<input type='submit' name='submit' value='login'>

</form>

<?php
}
?>

should work. would have used oop or some fancy ----, but I only have 5 minutes.

[mami]

Thanks

But how would I make it so the user has an option to change a variable in settings.php and also logout

[krakjoe]

index.php

PHP Code:

<?php session_start( );

/** no point in a username and pass, make an unimaginable string **/
$secret = "thelongstring";
/** going to change these settings in settings.php **/
$change = array(
    "root",
    "variable"
);

/** need these for foreach( ) **/
include("settings.php");
/** logout a user by request **/
if( $_GET['do'] == 'logout' )
{
    session_destroy( );
    header("Location: {$_SERVER['PHP_SELF']}");
    exit;
}
/** if the form was submitted **/
if( $_POST )
{    
    /** Insure we've posted the right form !! **/
    if( $_SESSION['auth'] and !$_POST['secret'] ) 
    {
        /** build new php **/
        $php[ ] = "<?php";
        foreach( $_POST as $key => $value ) $php[ ] = sprintf( "\$%s = \"%s\";", $key, $value );
        $php[ ] = "?>";
        /** open file handle to settings.php **/
        if( ( $settings = fopen( 'settings.php', 'w' ) ) )
        {
            /** write new code to settings.php **/
            if( !fwrite( $settings, implode( "\n", $php ) ) )
            {
                $msg = "Cannot save settings";
            }
            fclose( $settings );
        }
        else $msg = "Cannot open settings.php for writing";
    }
    /** Login posted **/
    elseif( $_POST['secret'] )
    {
        /** Authorize **/
        if( $_POST['secret'] == $secret )
        {
            $_SESSION['auth'] = true ;
            header("Location: {$_SERVER['PHP_SELF']}");
            exit;
        }
        else $msg = "Incorrect Secret";
    }
    else
    {
        /** Nothing **/
        header("Location: {$_SERVER['PHP_SELF']}");
        exit;
    }
}
/** output red message **/
if( $msg ) printf( "<font color=red>%s</font>\n", $msg );
/** include settings again incase of changes **/
include("settings.php");
/** Display setting form if authed **/
if( $_SESSION['auth'] ):
?>
<form action="" method="POST">
<?php
foreach( $change as $key )
{
    printf( "<p><label>%s&nbsp;<input type=text name=\"%s\" value=\"%s\"></label></p>\n", $key, $key, $$key );
}
?>
<p><input type="submit" value="Save" /></p>
</form> 
<p><a href="?do=logout">Logout</a></p>
<?php 
/** and display login form if not **/
else: 
?>
<form action="" method="POST">
    <p><label><input type="password" name="secret" /></label></p>
    <p><input type="submit" value="Authorize"/></p>
</form>
<?php endif; ?>

settings.php needs to be writable by server ( chmod 777 )

PHP Code:

<?php
$root = "root values";
$variable = "variable valus";
?>

I do not suggest that you keep authorization data in plain text, it's a crap idea, I also assume that you're just messing about here.

Passwords should always be hashed or encrypted when you're authorizing users, it's also not a great idea to have settings in a file that anyone on the filesystem can include ( in most environments ).

Have fun ...

[mami]

I get this error after logging in

PHP Code:

Warning: Cannot modify header information - headers already sent by (output started at /home/mamihoo/public_html/test/settings.php:4) in /home/mamihoo/public_html/test/index.php on line 49 


[krakjoe]

make sure there is no whitespace after closing ?> tags and before opening <?php tags.....

[JohnN]

or stick ob_start(); at the top.

[krakjoe]

no don't do that, there's nothing wrong with the code, it has to be white space, sticking ob_start would avoid the error but the session would still be broken ...

[JohnN]

ahh yes didn't realize you were talking about the session_start( ) issue. my bad.

[krakjoe]

See if you analyze the error ...

Warning: Cannot modify header information - headers already sent by (output started at /home/mamihoo/public_html/test/settings.php:4)

If there were a syntax error, there would be errors about that first ( we know warnings are on else the above error wouldn't show ). And it says the error is on line 4, which is the end, it's probably safe to assume there is whitespace after ?> of settings.php ... of course this is just conjecture ....

[mami]

I dont know what I did wrong but I just re pasted your code and the error has vanished

Thanks