Admin panel is working fine for normal users! It requires password to access it but when I access it using acunetix's http editor it opens the admin panel without verification. I'm using a function to check if admin is logged in. If not then redirects to login page! Here's the code of function please help me in this! Thanks.
--> full()
function is mysqli_real_escape_string(htmlspecialchar());
--> acunetix
is well application vulnerability tester.
function admin_check() {
global $users, $mysqli;
if(isset($_COOKIE['username'])){
$username = full($_COOKIE['username']);
$password = full($_COOKIE['password']);
$id = full($_COOKIE['id']);
if(is_numeric($id)){
$id = $id;
if($id < 0){
$id = (-1)*$id;
}
}
else {
$id = 10;
}
$query = "SELECT * FROM $users WHERE username = '{$username}' and password = '{$password}' and id = $id ";
$query_process = mysqli_query($mysqli, $query);
if(!$query_process){
die_message("There was some error checking admin login");
}
$check_rows = mysqli_num_rows($query_process);
if($check_rows != 1){
header("location: login.php");
}
while($rows = mysqli_fetch_assoc($query_process)){
$admin_role = $rows['admin_role'];
}
if($admin_role != 1){
header("location: logout.php");
}
}//end of first if
else {
header("location: login.php");
}
}// end of function
i guess one mistake can be because the script keeps on executing even after
header("location: login.php");
a possible way to remove it is by die() function. just add die() after every header redirect you are making.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.