...

View Full Version : Single Password Protection.



m7d7g7
12-13-2003, 01:17 AM
Hi,
I looked around hotscripts, phpresource, and finally here and could not find a script that uses a single password to authorize someone to view a page. I only want to protect one page so i dont think sessions or cookies are necessary. Possibly have the password encrypted? Does anyone know of a script out there similar to this?

Thanks,
Mike

weronpc
12-13-2003, 05:31 PM
Ok, Session is one way.

An easier way is to use .htaccess

.htacccess comes from Apache, let me know what web server are you using

or go to apache.org and do some research on .htaccess

Nightfire
12-13-2003, 06:55 PM
http://blinded.org.uk/scripts/loginlite.php maybe?

m7d7g7
12-13-2003, 08:36 PM
well, .htaccess isn't available, and the login lite script uses SQL, i need it in a flat file. I found a good tutorial on how to make one, but there is only one problem.. i need a line of code to go at the top of the protected page so that it checks to make sure the person has logged in.


Simple PHP Password Guide

<html>
<head>
<title>Password Script </title>
</head>
<body>
<center>
<form name="form1" method="post" action="password.php">
<input name="username" type="text" id="username">
<p>Enter your First Name Please<p>
<input type="submit" name="Submit" value="Submit"> isnít
</form>
</center>
</body>
</html>

Save file as password.html

<?php
if ($username == "pass")
{
Header ("Location: http://www.scienceandart.ca");
}
else
{
print "I am sorry that is incorrect please go back and try again";
//Header ("Location: http://www.disney.com");
}
?>

Save file as password.php (This file can not be viewed by user)


Could someone please modify the script so I can add the check at the top of the protected page? Also is it possable to change the "Location" so you dont have to type in the full address?

Thanks,
Mike

ReadMe.txt
12-13-2003, 09:36 PM
<?
if(!$_POST['submit']) {
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<input type="password" name="pass" size="20" />
<input type="submit" name="submit" value="Login" />
</form>
</body>
</html>
<?
} elseif ($_POST['pass'] != "pass") {
echo "Login failed!";
die();
} else {
?>
...page here...
<?
}
?>

m7d7g7
12-14-2003, 01:04 AM
:thumbsup:
thanks ReadMe! that works awesome.. but you can view the password when you view the source. The one i posted above, when you try and view the source in the password.php.. you cant. Is there any way to hide the password in the script you wrote?

Thanks,
Mike

Nightfire
12-14-2003, 09:12 AM
Erm, you can't see the password when you view source. It's impossible to see php by view source.

SDP2006
12-14-2003, 02:20 PM
Originally posted by Nightfire
Erm, you can't see the password when you view source. It's impossible to see php by view source. Yes, thats the beauty of PHP. It is very hard to rip your code.

raf
12-14-2003, 03:23 PM
Well, if someone manages to make the webserve fall over, then php files can be sent to the client without being parsed. In that case you'de be able to read the code and pwd.

you can avoid this by storing the pwd or the condition inside another php file that you include inside this page.
if the code is then sent unparsed, they only see the adress of the file to include. it's still not impossible to then get the source of this included file, but there's only a slim chance for geting this before the server goes down.

so changing


} elseif ($_POST['pass'] != "pass") {
echo "Login failed!";
die();
} else {
?>
...page here...
<?
}
?>


into


} else {
include ('./check.php');
?>
...page here...
<?
}
?>


and then have a check.php page like



if ($_POST['pass'] != "pass") {
echo "Login failed!";
die();
}


is safer.
By the way, there is no need for the elseif - else since the script is terminated if the password is incorrect.

m7d7g7
12-14-2003, 03:35 PM
very good.. thanks for the updated code raf. I appreciate all of your help.

Mike

Nightfire
12-14-2003, 04:05 PM
Well, if someone manages to make the webserve fall over, then php files can be sent to the client without being parsed. In that case you'de be able to read the code and pwd.

you can avoid this by storing the pwd or the condition inside another php file that you include inside this page.


That'll make no difference though, they'd get the included url for the file and be able to read the php in that page also, if that was the case

raf
12-14-2003, 05:10 PM
Originally posted by Nightfire
That'll make no difference though, they'd get the included url for the file and be able to read the php in that page also, if that was the case

Why didn't you include the following sentence ?
That a non-parsed php file is sent to the client should be a very rare occuring event. (unless you' webserver isn't configured to parse php's but i don't assume were talking about that situation here) And a client should not be allowed to cause the webserver to fall over to get the include-file's code by taking some anti-DoS measures.

Besides, the include with the pwd in it could be placed outside the web servers document root which makes it inaccesible from the web.

Including pwd or other sensitive data inside your applications php files is concidered a bad practice. At least that's what i've always read.

If you store them in a seperate file above the web-root, then it will be much safer.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum