<?
/*
File: admin.php
Belongs to Script Name: Burning Auth V 1.0
Author: Luca Vignaroli
Email: luca@burning.it
Description:
Burning Auth is a script to handle user authenticated access to php scripts.
The goal is quite simple: protect from unauthorized access those pages who
need to be kept under admin control, such as data/content administration and/or
members only areas on a website.
Security is achieved through a database authentication and mantained with a
Session variable set to the authenticated user's name. Every page can be protected
including the file 'shield.php'; at the beginning of it.
Check out the file README for installation instructions. This script is freeware.
*/
include ("shield.php");
?>
<center>
<?
// EDIT USER
if (($_REQUEST['mode'] == "edit") && ($_REQUEST['uid'] != "") && ($_REQUEST['act'] != "submit")) {
$sql = "SELECT * FROM USERS WHERE ID=" . $_REQUEST['uid'];
$conn = mysql_connect($burn->HOST, $burn->DBUSERNAME, $burn->DBPASSWORD);
$dbsel = mysql_select_db($burn->DBNAME, $conn);
$rs = mysql_query($sql);
$row = mysql_fetch_array($rs);
echo "<form method=post action='admin.php?mode=edit&uid=" . $row['ID'] . "&act=submit'>";
echo "<table border=0 cellpadding=0 cellspacing=0 width=200>";
echo "<tr><td align=right>Username:</td><td align=left><input type=text name='user' value='" . $row['USERNAME'] . "' style='width : 100px;'></td></tr>";
echo "<tr><td align=right>Password:</td><td align=left><input type=text name='pass' value='" . $row['PASSWORD'] . "' style='width : 100px;'></td></tr>";
echo "<tr><td align=right>$errormsg</td><td align=left><input type=submit name='save' value='save'></td></tr>";
echo "</table>";
mysql_free_result($rs);
mysql_close($conn);
}
elseif (($_REQUEST['mode'] == "edit") && ($_REQUEST['act'] == "submit") && ($_REQUEST['uid'] == "1") && (strtolower($_REQUEST['user']) != "admin")) {
Echo "You can only change the password for the user ADMIN!";
}
elseif (($_REQUEST['mode'] == "edit") && ($_REQUEST['act'] == "submit")) {
$sql = "UPDATE USERS SET USERNAME='" . $_REQUEST['user'] . "', PASSWORD='" . $_REQUEST['pass'] ."' WHERE ID=" . $_REQUEST['uid'];
$conn = mysql_connect($burn->HOST, $burn->DBUSERNAME, $burn->DBPASSWORD);
$dbsel = mysql_select_db($burn->DBNAME, $conn);
$query = mysql_query($sql) or die ("Error updating database!");
mysql_close($conn);
Echo "<font color=green>New data Saved!</font>";
}
else {
}
//INSERT USER
if (($_REQUEST['mode'] == "new") && ($_REQUEST['act'] == "submit") && (strtolower($_REQUEST['user']) != "admin") && ($_REQUEST['user'] != "")) {
$sql = "INSERT INTO USERS (USERNAME, PASSWORD, LASTTIMEHERE) VALUES ('" . $_REQUEST['user'] . "','" . $_REQUEST['pass'] ."', NOW())";
$conn = mysql_connect($burn->HOST, $burn->DBUSERNAME, $burn->DBPASSWORD);
$dbsel = mysql_select_db($burn->DBNAME, $conn);
$insert = mysql_query($sql) or die ("Error creating user!");
mysql_close($conn);
Echo "<font color=green>New user Saved!</font>";
}
elseif (($_REQUEST['mode'] == "new") && ($_REQUEST['act'] == "submit") && (strtolower($_REQUEST['user']) == "admin")) {
Echo "<font color=red>Cannot create user ADMIN!</font>";
}
elseif (($_REQUEST['mode'] == "new") && ($_REQUEST['act'] != "submit")) {
echo "<hr><b>Insert New User:</b><hr>";
echo "<form method=post action='admin.php?mode=new&act=submit'>";
echo "<table border=0 cellpadding=0 cellspacing=0 width=200>";
echo "<tr><td align=right>Username:</td><td align=left><input type=text name='user' style='width : 100px;'></td></tr>";
echo "<tr><td align=right>Password:</td><td align=left><input type=text name='pass' style='width : 100px;'></td></tr>";
echo "<tr><td align=right>$errormsg</td><td align=left><input type=submit name='insert' value='insert'></td></tr>";
echo "</table>";
}
elseif (($_REQUEST['mode'] == "new") && ($_REQUEST['act'] == "submit") && ($_REQUEST['user'] == "")) {
echo "<font color=red>Error, username field must NOT be empty!</font>";
}
//DELETE USER
if (($_REQUEST['mode'] == "del") && ($_REQUEST['act'] == "submit") && ($_REQUEST['uid'] == "1")) {
echo "<font color=red>Cannot delete USER ADMIN!</font>";
}
elseif (($_REQUEST['mode'] == "del") && ($_REQUEST['act'] == "submit")) {
$sql = "DELETE FROM USERS WHERE ID=" . $_REQUEST['uid'] . " LIMIT 1";
$conn = mysql_connect($burn->HOST, $burn->DBUSERNAME, $burn->DBPASSWORD);
$dbsel = mysql_select_db($burn->DBNAME, $conn);
$delete = mysql_query($sql) or die ("Error deleting user!: $sql");
mysql_close($conn);
Echo "<font color=green>User deleted as requested!</font>";
}
elseif (($_REQUEST['mode'] == "del") && ($_REQUEST['act'] != "submit")) {
echo "<hr><b>Confirm deletion of user:</b><hr>";
echo "<form method=post action='admin.php?mode=del&uid=" . $_REQUEST['uid'] . "&act=submit'>";
echo "<input type=submit name='delete' value='Yes'></form>";
echo "<form method=post action='admin.php'>";
echo "<input type=submit name='void' value='No'></form>";
}
$burn->listusers();
?>
</center>
|