PHP help

[Ice IT Support]

*all passwords in this post have been replaced with a "*"

 

I have been using a PHP script Byron gave me a while back (below) to password protect a directory. (original script @ http://byrondallas.heliohost.org/temp/password.txt)

<?php
session_start();
// maximum number of seconds user can remain idle without having to re-login (use a value of zero for no timout):
$max_session_time = 30;
// type of alert to give on incorrect password. This can be a file name or email address:
$alert = "";

// acceptable passwords (there are no limit to the amount):
$cmp_pass = Array();
$cmp_pass[] = md5("*"); 
$cmp_pass[] = md5("*");

// maximum number of bad logins before user locked out (use a value of zero for no hammering protection):
$max_attempts = 3;

// end user definable variables

// save session expiry time for later comparision
$session_expires = $_SESSION['mpass_session_expires'];
// have to do this otherwise max_attempts is actually one less than what you specify.
$max_attempts++;
if(!empty($_POST['mpass_pass']))
{
// store md5'ed password
$_SESSION['mpass_pass'] = md5($_POST['mpass_pass']);
}
if(empty($_SESSION['mpass_attempts']))
{
$_SESSION['mpass_attempts'] = 0;
}
// if the session has expired, or the password is incorrect, show login page:
if(($max_session_time>0 && !empty($session_expires) && mktime()>$session_expires) || empty($_SESSION['mpass_pass']) || !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
if(!empty($alert) && !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
// user has submitted incorrect password
// generate alert:
$_SESSION['mpass_attempts']++;
$alert_str = $_SERVER['REMOTE_ADDR']." entered ".htmlspecialchars($_POST['mpass_pass'])." on page ".$_SERVER['PHP_SELF']." on ".date("l dS of F Y h:i:s A")."\r\n";
if(stristr($alert,"@")!==false)
{
// email alert
@mail($alert,"Bad Login on ".$_SERVER['PHP_SELF'],$alert_str,"From: ".$alert);
}
else
{
// textfile alert
$handle = @fopen($alert,'a');
if($handle)
{
fwrite($handle,$alert_str);
fclose($handle);
}
}
}
// if hammering protection is enabled, lock user out if they've reached the maximum
if($max_attempts>1 && $_SESSION['mpass_attempts']>=$max_attempts)
{
exit("Too many login failures.");
}
// clear session expiry time
$_SESSION['mpass_session_expires'] = "";
?>
<html>
<head>
<title>Enter Password</title>
</head>
<body>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<h4>Password Protected</h4>
<input type="password" name="mpass_pass">
<input type="submit" value="login">
</form>
</body>
</html>
<?php
// and exit
exit();
}
// if they've got this far, they've entered the correct password:
// reset attempts
$_SESSION['mpass_attempts'] = 0;
// update session expiry time
$_SESSION['mpass_session_expires'] = mktime()+$max_session_time;
?>

and on my index page I have a list of links.

<ul>
<?php
if($_SESSION['mpass_pass'] = md5("*"))
{
echo "<li><a href='/Administrator'>Administrator Control Panel</a>";
}
?>
<li><a href="/Roundcube">Webmail access</a>
<li><a href="staffsites.php">StaffSites</a>
<li><a href="directory.php">Staff email directory</a>
<li><a href="customer-selection.php">Payments and invoicing</a>
</ul>

I want to log in using password "*" and have the "Administrator Control Panel" link appear in the list and when I log in with any other password I don't want the "Administrator Control Panel" link appear. I tried using the code in bold, but the link appears regardless of what password I use. What do I need to do/what code do I need to use to fix this issue?

[PenTester]

did you try == instead of = in this following:

<?php

if($_SESSION['mpass_pass'] == md5("*"))

{

echo "<li><a href='/Administrator'>Administrator Control Panel</a>";

}

?>

[Ice IT Support]

It works! Thank you so much!

[PenTester]

= is Assign Operator (for value assigning)

== is comparison operator.(To check the values are same)