Ad:

PHP Discussion Thread
Unsolved
Views: 8877

Mar 30th, 2009

Admin Panel script

Expand Post »

WARNING
huge php script, watch your head
/WARNING

Ok, i want to start by saying that this is part of a free script im making and therefor may be used by anyone, the script if available at:

http://pctipforum.com/index.php?topic=345.0

next i want to say that this is a login script for the admin panel of the above utility, the utility is a php based guestbook

This admin panel, for now, offers the person whom uses it the ability to delete and entry from the guestbook, at the time it does not work

I think there is a piece missing where its marked, youll see it torward the end like this:

//---------------------------------
//<--- SOMETHING GOES HERE --->
//---------------------------------

some part of the script is not escaped with a } and so its missing a piece, the script WAS functional, when it had multiple pages, ie this page linked to another page to parse the form..

but after i got about 30 pages in this simple to use guestbook, it became too complicated, as such i put them into one page, and now i cant figure out what im missing ><

please help

PHP Syntax (Toggle Plain Text)
 
<?PHP
//turn off error reporting...
error_reporting(0);
 
//Include the file with the password
include ("Config.php");
 
//Convert the username and password into usable strings
$user = $_POST['user'];
$pass = $_POST['pass'];
 
//We need to disable the first parse of this script, which is when the person first come to the page...
if($user=="")
 
{
	echo '
	<center>
	<table border="0">
	<form method="POST" action="A_login.php">
	<tr><td>
	Admin Username:
	<td>
	<input type="text" name="user">
	<tr><td>
	Admin Password:
	<td>
	<input type="password" name="pass">
	<tr><td>
	Submit:
	<td>
	<input type="submit" value="Submit">
	</form>
	</table>
	</center>
	<center>
 	This will display the FULL guestbook, it gets quite long....
 	</center>
	';
 
 	die(''); 
}
 
if($Delete=="")
 
 
{
	//Check username and password
	if (($user=="$Ad_Username") && ($pass=="$Ad_Password"))
	{
		//if its right, we can go ahead and display the info
 
		echo '
		<br><br>
		<center>
		<h2>THIS WILL DELETE WHATEVER NUMBER YOU INPUT!</h2>
		</center>
		<br>
		<center>
		<table border="0">
		<form method="POST" action="A_login.php">
		<input type="hidden" value="$user" name="user">
		<input type="hidden" value="$pass" name="pass">
		<tr><td>
		DELETE NUMBER:
		<td>
		<input type="text" name="Delete">
		<tr><td>
		Submit:
		<td>
		<input type="submit" value="Submit">
		</form>
		</table>
		</center>
		';
 
		//Admin Guestbook, for use in the panel ONLY
		echo '<br><br><br>';
		echo '<center>';
		//This includes the Configuration file that should be in the same folder as this guestbook Script
		include ("Config.php");
 
 
		//This is where the Script connects to your database
		$con = mysql_connect("$Hostname","$Username","$Password");
		if (!$con)
		{
			die('Could not connect: ' . mysql_error());
		}
 
		//Selects the database in config.php
		mysql_select_db("$Database", $con);
 
		//Selects the info from the guestbook table and sets it as a variable
		$result = mysql_query("SELECT * FROM $Table ORDER BY Number DESC");
 
		//This portion configures the table which will display the guestbook
		echo "<font color=$HeaderColor size=\"2\">FOR USE IN THE ADMIN PANEL ONLY</font>";
		echo '<br><br>';
		echo "<table width=\"80%\" Border=\"$TableBord\">";
		echo "<tr><td><font color=$HeaderColor>Number<td><font color=$HeaderColor>Smiley<td><font color=$HeaderColor>Name<td><font color=$HeaderColor>Date<td><font color=$HeaderColor>Comment<td><font color=$HeaderColor>Email<td><font color=$HeaderColor>IP";
 
		//This is an array, it takes each entry into the guestbook and puts it on a line
		while($row = mysql_fetch_array($result))
		{
			Echo "<tr>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Number'];
			Echo "<td><img src=Smiley/";
			Echo $row['Smiley'];
			Echo ".gif>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Name'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Date'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Comment'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Email'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['IP'];
		}
		Echo "</font>";
 
		//Disconnect from the database
		mysql_close($con);
 
		//End Admin Guestbook viewer
		echo '</center>';
		 die(''); 
	}
 
	else
 
	{ 
		die('Wrong username and or password!');
	}
 
//---------------------------------
//<--- SOMETHING GOES HERE --->
//---------------------------------
 
else 
 
{ 
	//This includes the Configuration file that should be in the same folder as this Script
	include ("Config.php");
	echo "
	<a href=$LINK>Return</a>
	<br><br><br><br>
	";
 
	//This is where the Script connects to your database
	$con = mysql_connect("$Hostname","$Username","$Password");
	if (!$con)
	{
		die('Could not connect: ' . mysql_error());
	}
 
	//Selects the database in config.php
	mysql_select_db("$Database", $con);
 
	$sql="DELETE FROM $Table WHERE Number='$_POST[Delete]'";
 
	if (!mysql_query($sql,$con))
	{
		die('Error: ' . mysql_error());
	}
	echo "record deleted";
}
 
?>
<?PHP
//turn off error reporting...
error_reporting(0);

//Include the file with the password
include ("Config.php");

//Convert the username and password into usable strings
$user = $_POST['user'];
$pass = $_POST['pass'];

//We need to disable the first parse of this script, which is when the person first come to the page...
if($user=="")

{
	echo '
	<center>
	<table border="0">
	<form method="POST" action="A_login.php">
	<tr><td>
	Admin Username:
	<td>
	<input type="text" name="user">
	<tr><td>
	Admin Password:
	<td>
	<input type="password" name="pass">
	<tr><td>
	Submit:
	<td>
	<input type="submit" value="Submit">
	</form>
	</table>
	</center>
	<center>
 	This will display the FULL guestbook, it gets quite long....
 	</center>
	';

 	die(''); 
}

if($Delete=="")


{
	//Check username and password
	if (($user=="$Ad_Username") && ($pass=="$Ad_Password"))
	{
		//if its right, we can go ahead and display the info

		echo '
		<br><br>
		<center>
		<h2>THIS WILL DELETE WHATEVER NUMBER YOU INPUT!</h2>
		</center>
		<br>
		<center>
		<table border="0">
		<form method="POST" action="A_login.php">
		<input type="hidden" value="$user" name="user">
		<input type="hidden" value="$pass" name="pass">
		<tr><td>
		DELETE NUMBER:
		<td>
		<input type="text" name="Delete">
		<tr><td>
		Submit:
		<td>
		<input type="submit" value="Submit">
		</form>
		</table>
		</center>
		';

		//Admin Guestbook, for use in the panel ONLY
		echo '<br><br><br>';
		echo '<center>';
		//This includes the Configuration file that should be in the same folder as this guestbook Script
		include ("Config.php");


		//This is where the Script connects to your database
		$con = mysql_connect("$Hostname","$Username","$Password");
		if (!$con)
		{
			die('Could not connect: ' . mysql_error());
		}

		//Selects the database in config.php
		mysql_select_db("$Database", $con);

		//Selects the info from the guestbook table and sets it as a variable
		$result = mysql_query("SELECT * FROM $Table ORDER BY Number DESC");

		//This portion configures the table which will display the guestbook
		echo "<font color=$HeaderColor size=\"2\">FOR USE IN THE ADMIN PANEL ONLY</font>";
		echo '<br><br>';
		echo "<table width=\"80%\" Border=\"$TableBord\">";
		echo "<tr><td><font color=$HeaderColor>Number<td><font color=$HeaderColor>Smiley<td><font color=$HeaderColor>Name<td><font color=$HeaderColor>Date<td><font color=$HeaderColor>Comment<td><font color=$HeaderColor>Email<td><font color=$HeaderColor>IP";

		//This is an array, it takes each entry into the guestbook and puts it on a line
		while($row = mysql_fetch_array($result))
		{
			Echo "<tr>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Number'];
			Echo "<td><img src=Smiley/";
			Echo $row['Smiley'];
			Echo ".gif>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Name'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Date'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Comment'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Email'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['IP'];
		}
		Echo "</font>";

		//Disconnect from the database
		mysql_close($con);

		//End Admin Guestbook viewer
		echo '</center>';
		 die(''); 
	}

	else

	{ 
		die('Wrong username and or password!');
	}

//---------------------------------
//<--- SOMETHING GOES HERE --->
//---------------------------------

else 

{ 
	//This includes the Configuration file that should be in the same folder as this Script
	include ("Config.php");
	echo "
	<a href=$LINK>Return</a>
	<br><br><br><br>
	";

	//This is where the Script connects to your database
	$con = mysql_connect("$Hostname","$Username","$Password");
	if (!$con)
	{
		die('Could not connect: ' . mysql_error());
	}

	//Selects the database in config.php
	mysql_select_db("$Database", $con);

	$sql="DELETE FROM $Table WHERE Number='$_POST[Delete]'";

	if (!mysql_query($sql,$con))
	{
		die('Error: ' . mysql_error());
	}
	echo "record deleted";
}

?>

p.s. yes i know its messy, yes i know i have a LOT of html being parsed by php, i will clean it up later, right now its like that for simplicities sake....

thanks in advance!

Similar Threads

How i can do? in PHP
Simple article manager script in PHP I wrote in PHP
AIHS help in HTML and CSS
Need SMS Messages Script in Community Introductions

Merlin33069

Reputation Points: 10

Solved Threads: 4

Junior Poster

Offline

126 posts
since May 2008

Permalink

Mar 31st, 2009

Re: Admin Panel script

ok, i found the problem, it was just a missing }

i tried that once, but it kept redirecting me to the same page i was on, so i thaught something else should go there...

the place i messed up is in the hidden inputs under one of the forms, the form assumes a variable that cannot be used...

here is the fixed and 100% working script:

PHP Syntax (Toggle Plain Text)
 
<?PHP
//turn off error reporting...
error_reporting(0);
 
//Include the file with the password
include ("Config.php");
 
//Convert the username and password into usable strings
$user = $_POST['user'];
$pass = $_POST['pass'];
$Delete = $_POST['Delete'];
 
//We need to disable the first parse of this script, which is when the person first come to the page...
if($user=="")
 
{
	echo '
	<center>
	<table border="0">
	<form method="POST" action="A_login.php">
	<tr><td>
	Admin Username:
	<td>
	<input type="text" name="user">
	<tr><td>
	Admin Password:
	<td>
	<input type="password" name="pass">
	<tr><td>
	Submit:
	<td>
	<input type="submit" value="Submit">
	</form>
	</table>
	</center>
	<center>
 	This will display the FULL guestbook, it gets quite long....
 	</center>
	';
 
 	die(''); 
}
 
if($Delete=="")
 
 
{
	//Check username and password
	if (($user=="$Ad_Username") && ($pass=="$Ad_Password"))
	{
		//if its right, we can go ahead and display the info
 
		echo '
		<center>
		<h2>THIS WILL DELETE WHATEVER NUMBER YOU INPUT!</h2>
		</center>
		<br>
		<center>
		<table border="0">
		<form method="POST" action="A_login.php">
		<input type="hidden" name="user" value="';
 
		echo $user;
 
		echo '">';
 
		echo '<input type="hidden" name="pass" value="';
 
		echo $pass;
 
		echo '">
		<tr><td>
		DELETE NUMBER:
		<td>
		<input type="text" name="Delete">
		<tr><td>
		Submit:
		<td>
		<input type="submit" value="Submit">
		</form>
		</table>
		</center>
		';
 
		//Admin Guestbook, for use in the panel ONLY
		echo '<br><br><br>';
		echo '<center>';
		//This includes the Configuration file that should be in the same folder as this guestbook Script
		include ("Config.php");
 
 
		//This is where the Script connects to your database
		$con = mysql_connect("$Hostname","$Username","$Password");
		if (!$con)
		{
			die('Could not connect: ' . mysql_error());
		}
 
		//Selects the database in config.php
		mysql_select_db("$Database", $con);
 
		//Selects the info from the guestbook table and sets it as a variable
		$result = mysql_query("SELECT * FROM $Table ORDER BY Number DESC");
 
		//This portion configures the table which will display the guestbook
		echo "<font color=$HeaderColor size=\"2\">FOR USE IN THE ADMIN PANEL ONLY</font>";
		echo '<br><br>';
		echo "<table width=\"80%\" Border=\"$TableBord\">";
		echo "<tr><td><font color=$HeaderColor>Number<td><font color=$HeaderColor>Smiley<td><font color=$HeaderColor>Name<td><font color=$HeaderColor>Date<td><font color=$HeaderColor>Comment<td><font color=$HeaderColor>Email<td><font color=$HeaderColor>IP";
 
		//This is an array, it takes each entry into the guestbook and puts it on a line
		while($row = mysql_fetch_array($result))
		{
			Echo "<tr>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Number'];
			Echo "<td><img src=Smiley/";
			Echo $row['Smiley'];
			Echo ".gif>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Name'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Date'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Comment'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Email'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['IP'];
		}
		Echo "</font>";
 
		//Disconnect from the database
		mysql_close($con);
 
		//End Admin Guestbook viewer
		echo '</center>';
		die(''); 
	}
 
	else
 
	{ 
		die('Wrong username and or password!');
	}
}
 
else
 
{ 
	//This includes the Configuration file that should be in the same folder as this Script
	include ("Config.php");
 
		echo '
		<center>
		<table border="0">
		<form method="POST" action="A_login.php">
		<input type="hidden" name="user" value="';
		echo $user;
		echo '">';
		echo '<input type="hidden" name="pass" value="';
		echo $pass;
		echo '">
		<tr><td>
		<tr><td>
		<input type="submit" value="Return to admin page">
		</form>
		</table>
		</center>
		<br>
		<center>
		';
 
 
 
	//This is where the Script connects to your database
	$con = mysql_connect("$Hostname","$Username","$Password");
	if (!$con)
	{
		die('Could not connect: ' . mysql_error());
	}
 
	//Selects the database in config.php
	mysql_select_db("$Database", $con);
 
	$sql="DELETE FROM $Table WHERE Number='$_POST[Delete]'";
 
	if (!mysql_query($sql,$con))
	{
		die('Error: ' . mysql_error());
	}
	echo "record deleted, or did not exist, either way its no longer in the database...";
}
echo '</center>';
 
?>
<?PHP
//turn off error reporting...
error_reporting(0);

//Include the file with the password
include ("Config.php");

//Convert the username and password into usable strings
$user = $_POST['user'];
$pass = $_POST['pass'];
$Delete = $_POST['Delete'];

//We need to disable the first parse of this script, which is when the person first come to the page...
if($user=="")

{
	echo '
	<center>
	<table border="0">
	<form method="POST" action="A_login.php">
	<tr><td>
	Admin Username:
	<td>
	<input type="text" name="user">
	<tr><td>
	Admin Password:
	<td>
	<input type="password" name="pass">
	<tr><td>
	Submit:
	<td>
	<input type="submit" value="Submit">
	</form>
	</table>
	</center>
	<center>
 	This will display the FULL guestbook, it gets quite long....
 	</center>
	';

 	die(''); 
}

if($Delete=="")


{
	//Check username and password
	if (($user=="$Ad_Username") && ($pass=="$Ad_Password"))
	{
		//if its right, we can go ahead and display the info

		echo '
		<center>
		<h2>THIS WILL DELETE WHATEVER NUMBER YOU INPUT!</h2>
		</center>
		<br>
		<center>
		<table border="0">
		<form method="POST" action="A_login.php">
		<input type="hidden" name="user" value="';

		echo $user;

		echo '">';

		echo '<input type="hidden" name="pass" value="';

		echo $pass;

		echo '">
		<tr><td>
		DELETE NUMBER:
		<td>
		<input type="text" name="Delete">
		<tr><td>
		Submit:
		<td>
		<input type="submit" value="Submit">
		</form>
		</table>
		</center>
		';

		//Admin Guestbook, for use in the panel ONLY
		echo '<br><br><br>';
		echo '<center>';
		//This includes the Configuration file that should be in the same folder as this guestbook Script
		include ("Config.php");


		//This is where the Script connects to your database
		$con = mysql_connect("$Hostname","$Username","$Password");
		if (!$con)
		{
			die('Could not connect: ' . mysql_error());
		}

		//Selects the database in config.php
		mysql_select_db("$Database", $con);

		//Selects the info from the guestbook table and sets it as a variable
		$result = mysql_query("SELECT * FROM $Table ORDER BY Number DESC");

		//This portion configures the table which will display the guestbook
		echo "<font color=$HeaderColor size=\"2\">FOR USE IN THE ADMIN PANEL ONLY</font>";
		echo '<br><br>';
		echo "<table width=\"80%\" Border=\"$TableBord\">";
		echo "<tr><td><font color=$HeaderColor>Number<td><font color=$HeaderColor>Smiley<td><font color=$HeaderColor>Name<td><font color=$HeaderColor>Date<td><font color=$HeaderColor>Comment<td><font color=$HeaderColor>Email<td><font color=$HeaderColor>IP";

		//This is an array, it takes each entry into the guestbook and puts it on a line
		while($row = mysql_fetch_array($result))
		{
			Echo "<tr>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Number'];
			Echo "<td><img src=Smiley/";
			Echo $row['Smiley'];
			Echo ".gif>";
			Echo "<td><font color=$EntryColor>";
			Echo $row['Name'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Date'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Comment'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['Email'];
			Echo "<td><font color=$EntryColor>";
			Echo $row['IP'];
		}
		Echo "</font>";

		//Disconnect from the database
		mysql_close($con);

		//End Admin Guestbook viewer
		echo '</center>';
		die(''); 
	}

	else

	{ 
		die('Wrong username and or password!');
	}
}

else

{ 
	//This includes the Configuration file that should be in the same folder as this Script
	include ("Config.php");

		echo '
		<center>
		<table border="0">
		<form method="POST" action="A_login.php">
		<input type="hidden" name="user" value="';
		echo $user;
		echo '">';
		echo '<input type="hidden" name="pass" value="';
		echo $pass;
		echo '">
		<tr><td>
		<tr><td>
		<input type="submit" value="Return to admin page">
		</form>
		</table>
		</center>
		<br>
		<center>
		';



	//This is where the Script connects to your database
	$con = mysql_connect("$Hostname","$Username","$Password");
	if (!$con)
	{
		die('Could not connect: ' . mysql_error());
	}

	//Selects the database in config.php
	mysql_select_db("$Database", $con);

	$sql="DELETE FROM $Table WHERE Number='$_POST[Delete]'";

	if (!mysql_query($sql,$con))
	{
		die('Error: ' . mysql_error());
	}
	echo "record deleted, or did not exist, either way its no longer in the database...";
}
echo '</center>';

?>

Have fun, and check out pctipforum.com

Merlin33069

Reputation Points: 10

Solved Threads: 4

Junior Poster

Offline

126 posts
since May 2008

Permalink

Mar 31st, 2009

Re: Admin Panel script

First of all, there are some problems you need to address before anyone even thinks about downloading/using this. You have a username and password stored in plain text on the server. Not Good! A database should be used to store them. The password should be hashed as well. You also have post data going directly into queries. This is a huge sql injection hole. Also I couldn't find much valid xhtml or even html.

Security is a must in todays world. That will be hacked quickly.

Also, I looked at your demo. There is no spam prevention. You might want to fix that before someone starts spamming you.

Last edited by kkeith29; Mar 31st, 2009 at 1:23 am.

kkeith29

Reputation Points: 235

Solved Threads: 193

Nearly a Posting Virtuoso

Offline

1,315 posts
since Jun 2007

Permalink

Mar 31st, 2009

Re: Admin Panel script

Also by compiling it into one script the file size is huge and it will take PHP a much longer time to parse the whole file

samarudge

Reputation Points: 26

Solved Threads: 31

Posting Whiz

Offline

354 posts
since May 2008

Permalink

Apr 13th, 2009

Re: Admin Panel script

i know.

this was my first script, as such i was working piece by piece, the entire script is now split into a couple different files, and the database houses a few different hashed passwords.

This was a learning experience for me

also, on the spamming part of things, that was added later and i thank you for pointing it out anyway

Last edited by Merlin33069; Apr 13th, 2009 at 11:55 am. Reason: added last paragraph

Merlin33069

Reputation Points: 10

Solved Threads: 4

Junior Poster

Offline

126 posts
since May 2008

Permalink

Apr 13th, 2009

Re: Admin Panel script

Yeh, some major holes in that :/
I wouldnt recomend anyone using it for security issues until you've fixed it up. Look up CSRF aswell, i've made it a mission to get more people protecting the forms against it. Also there is (as pointed out above) a huge SQL injection possible.
Hope this helps

Designer_101

Reputation Points: 12

Solved Threads: 16

Posting Whiz

Offline

314 posts
since Jul 2007

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: Looking for error reporting switch

Next Thread in PHP Forum Timeline: Hi.......Help me get started with PHP

DaniWeb Message

Cancel Changes

User Name
Password