Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    New Coder
    Join Date
    Oct 2002
    Posts
    53
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question Single Password Protection.

    Hi,
    I looked around hotscripts, phpresource, and finally here and could not find a script that uses a single password to authorize someone to view a page. I only want to protect one page so i dont think sessions or cookies are necessary. Possibly have the password encrypted? Does anyone know of a script out there similar to this?

    Thanks,
    Mike

  • #2
    Regular Coder
    Join Date
    Apr 2003
    Location
    Canada, Ontario, Mississauga
    Posts
    312
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok, Session is one way.

    An easier way is to use .htaccess

    .htacccess comes from Apache, let me know what web server are you using

    or go to apache.org and do some research on .htaccess

  • #3
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts

  • #4
    New Coder
    Join Date
    Oct 2002
    Posts
    53
    Thanks
    0
    Thanked 0 Times in 0 Posts
    well, .htaccess isn't available, and the login lite script uses SQL, i need it in a flat file. I found a good tutorial on how to make one, but there is only one problem.. i need a line of code to go at the top of the protected page so that it checks to make sure the person has logged in.

    Code:
    Simple PHP Password Guide
    
    <html>
    <head>
    <title>Password Script </title>
    </head>
    <body>
    <center>
    <form name="form1" method="post" action="password.php">
    <input name="username" type="text" id="username">
    <p>Enter your First Name Please<p>    
    <input type="submit" name="Submit" value="Submit"> isn’t 
    </form>
    </center>
    </body>
    </html>
    
    Save file as password.html
    
    <?php 
    if ($username == "pass")
    {
    Header ("Location: http://www.scienceandart.ca");
    }
    else
    {
    print "I am sorry that is incorrect please go back and try again"; 
    //Header ("Location: http://www.disney.com"); 
    } 
    ?>
    
    Save file as password.php  (This file can not be viewed by user)
    Could someone please modify the script so I can add the check at the top of the protected page? Also is it possable to change the "Location" so you dont have to type in the full address?

    Thanks,
    Mike

  • #5
    Regular Coder
    Join Date
    Jun 2002
    Location
    Sheffield, UK
    Posts
    552
    Thanks
    0
    Thanked 0 Times in 0 Posts
    <?
    if(!$_POST['submit']) {
    ?>
    <html>
    <head>
    <title>Login</title>
    </head>
    <body>
    <form action="<?=$_SERVER['PHP_SELF']?>" method="post">
    <input type="password" name="pass" size="20" />
    <input type="submit" name="submit" value="Login" />
    </form>
    </body>
    </html>
    <?
    } elseif ($_POST['pass'] != "pass") {
    echo "Login failed!";
    die();
    } else {
    ?>
    ...page here...
    <?
    }
    ?>
    "To be successful in IT you don't need to know everything - just where to find it in under 30 seconds"

    (Me Me Me Me Me Me Me Me Me)

  • #6
    New Coder
    Join Date
    Oct 2002
    Posts
    53
    Thanks
    0
    Thanked 0 Times in 0 Posts

    thanks ReadMe! that works awesome.. but you can view the password when you view the source. The one i posted above, when you try and view the source in the password.php.. you cant. Is there any way to hide the password in the script you wrote?

    Thanks,
    Mike

  • #7
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Erm, you can't see the password when you view source. It's impossible to see php by view source.

  • #8
    Regular Coder
    Join Date
    May 2003
    Location
    34° 54' N 82° 13' W
    Posts
    996
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by Nightfire
    Erm, you can't see the password when you view source. It's impossible to see php by view source.
    Yes, thats the beauty of PHP. It is very hard to rip your code.
    Stevie Peele
    Neverside IRC Network - irc.veonex.net | tc.tutorialnetwork.org
    #dev - any programming,etc. question
    #design - design discussion and critque
    #central - general chat
    Come join us!

  • #9
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Well, if someone manages to make the webserve fall over, then php files can be sent to the client without being parsed. In that case you'de be able to read the code and pwd.

    you can avoid this by storing the pwd or the condition inside another php file that you include inside this page.
    if the code is then sent unparsed, they only see the adress of the file to include. it's still not impossible to then get the source of this included file, but there's only a slim chance for geting this before the server goes down.

    so changing
    PHP Code:
    } elseif ($_POST['pass'] != "pass") {
    echo "Login failed!";
    die();
    } else {
    ?>
    ...page here...
    <?
    }
    ?>
    into
    PHP Code:
    } else {
        include ('./check.php');
    ?>
    ...page here...
    <?
    }
    ?>
    and then have a check.php page like

    PHP Code:
    if ($_POST['pass'] != "pass") {
       echo 
    "Login failed!";
       die();

    is safer.
    By the way, there is no need for the elseif - else since the script is terminated if the password is incorrect.

  • #10
    New Coder
    Join Date
    Oct 2002
    Posts
    53
    Thanks
    0
    Thanked 0 Times in 0 Posts
    very good.. thanks for the updated code raf. I appreciate all of your help.

    Mike

  • #11
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Well, if someone manages to make the webserve fall over, then php files can be sent to the client without being parsed. In that case you'de be able to read the code and pwd.

    you can avoid this by storing the pwd or the condition inside another php file that you include inside this page.
    That'll make no difference though, they'd get the included url for the file and be able to read the php in that page also, if that was the case

  • #12
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by Nightfire
    That'll make no difference though, they'd get the included url for the file and be able to read the php in that page also, if that was the case
    Why didn't you include the following sentence ?
    That a non-parsed php file is sent to the client should be a very rare occuring event. (unless you' webserver isn't configured to parse php's but i don't assume were talking about that situation here) And a client should not be allowed to cause the webserver to fall over to get the include-file's code by taking some anti-DoS measures.

    Besides, the include with the pwd in it could be placed outside the web servers document root which makes it inaccesible from the web.

    Including pwd or other sensitive data inside your applications php files is concidered a bad practice. At least that's what i've always read.

    If you store them in a seperate file above the web-root, then it will be much safer.
    Last edited by raf; 12-14-2003 at 06:12 PM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •