CSI: PHP

"Looking at your tweets I cannot even fathom what your job is. CSI:PHP?" — @grmpyprogrammer

Your Admin Password Is Editsally

| Comments

I’m not sure if this is what the original developer sent to the client once the app was finished, but I think I’m probably pretty close.

Hey Sally,

I got that application put together for you. You’re the application administrator, or course. You don’t need a username, and your password is ‘editsally’. Since the app’s users are easily confused, we’ll just let them all use the same password, ‘companyuser’.

Best Regards,

Web Developer

And just how was this genius security plan implemented?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
@session_start();

if (isset($_SESSION['pass'])) {

} else {
    if($_POST['pass'] == 'editsally') {
        $_SESSION['pass'] = 'editsally';
    } elseif($_POST['pass'] == 'companyuser') {
        $_SESSION['pass'] = 'companyuser';
    } else {
        $_SESSION['pass'] = $_SESSION['pass'];
    }
}

// . . . snip 150 lines of HTML and JavaScript . . .

if (isset($_SESSION['pass'])) {
    // "Secure" portion of page:
    // 160 terrifying lines of HTML, JavaScript, and PHP.
} else {
    echo('<form action="index.php" method="POST">Enter Password:<input type="password" name="pass"><input type="submit" value="Login"></form>');
}

Comments