PHP/MYSQL Security Questions (Online Order Form, Admin Portal)<form method="po

1. PHP/MYSQL Security Questions (Online Order Form, Admin Portal)
2. <form method="post" action="admin/login.php">
3. <table align="center">
4. <tr><th>Admin Login Form</th></tr>
5. <tr><td>Name</td><td><input type="text" name="Name" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)"></td></tr>
6. <tr><td>Password</td><td><input type="password" name="Password" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)"></td></tr>
7. <tr><td></td><td><input type="reset" value="Clear Form"> <input type="submit" value="Login"></td></tr>
8. </table>
9. </form>
10.  
11. <?php
12. $inputusername = $_POST['Name'];
13. $inputpassword = $_POST['Password'];
14.  
15. $username = "a username that is not obvious";
16. $password = "a password that is at least 10 characters long";
17.  
18. if($username == $inputusername && $password == $inputpassword) {
19. session_start();
20. $_SESSION['valid'] = TRUE;
21. $_SESSION['IP'] = $_SERVER["REMOTE_ADDR"];
22. $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT'];
23. header('Location: portal.php');
24. exit;
25. }
26. else {echo "<center>Invalid username or password<br><a href='../admin.html'>Try Again</a></center>"; exit;}
27. ?>
28.  
29. <?php
30. session_start();
31. if(!$_SESSION['valid']) {header('Location: ../admin.html'); exit;}
32. if($_SESSION['IP'] != $_SERVER["REMOTE_ADDR"]) {header('Location: ../admin.html'); exit;}
33. if($_SESSION['agent'] != $_SERVER['HTTP_USER_AGENT']) {header('Location: ../admin.html'); exit;}
34. ?>
35.  
36. <?php include('session-authentication-script.php'); ?>
37. *Actual page goes here*
38.  
39. <?php
40. include('session-authentication-script.php');
41. $_SESSION['valid'] = FALSE;
42. session_destroy();
43. header('Location: ../admin.html');
44. exit;
45. ?>
46.  
47. <form name="Order" method="post" action="incl/email_Order.php">
48. <table>
49. <tr><td>Name</td><td><input type="text" name="Name" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)" ></td></tr>
50.  
51. *gather up a bunch more form data in the same fashion*
52.  
53. <tr><td></td><td><input type="reset" value="Clear Form"> <input type="submit" value="Submit Order" ></td></tr></table>
54.  
55. $to = "sales@company.com";
56. $subject = "Online Order";
57. $message = "Name: " . $_REQUEST['Name'] . "rn" .
58.  
59. *and here is a bunch of other stuff being concatenated to $message in the same fashion*
60.  
61. $headers = 'From: sales@company.com' . "rn" .
62. 'Reply-To: ' . $_REQUEST['Email'] . "rn";
63.  
64. if(mail($to, $subject, $message, $headers)) {print "Thank you for your order!";}
65. else {print "We encountered an error sending your order. Please attempt again.";}
66. exit;
67.  
68. echo "Requested article: ".$_GET['id'];
69.  
70. '<script src="bad_script_from_bad_server.js"></script>'
71.  
72. echo "Requested article: ".filter_input ( INPUT_GET, 'id', FILTER_VALIDATE_INT);
73.  
74. if(!isset($_POST['nonce']) || !isset($_SESSION['nonce']) || $_POST['nonce'] != $_SESSION['nonce']) {
75. // Invalid POST
76. }