Secure a .php

Anon

If I want to have a login.php
thang..
And you need to login in order
to get to a specific page.

I can do this..
However, if a person knows the
direct name of this as called
"secured php file".
Then he can just simply
go through my login page
and direct to that page.

What script shall I put on
my "secured" page in order to
let noone go around my login page?

/Chess

Anon

1) You may store pages in database, but it isn't the best way.
2) On your secure page you may add script which checks cookies set at login page and additionaly you may chceck $HTTP_REFERER.
3) Please read :
http://php.net/manual/features.http-auth.php

I think there are more ways but you'll work them out by yourself 🙂

Hamster.

Anon

you secure page, that loads after the form submission from login page can have structure like this:

if ($submit) {
if ($REQUEST_METHOD == 'POST') {
// do your stuff here
}
else {
echo 'sorry, Illegeal request';
}
else {
echo 'sorry, cant call this script directly!';
}

above will make sure that the page is only called with POST method, and that is only possible with login form. and if its called directly it will give error message too.

Anon

Why not use the refer thing... if a page is called from another page a $HTTP_REFERER variable is set with that page's refering address. so if a page is called from a typed link this var is empty. use something like this ...

if (!$HTTP_REFERER)
{
echo "you can't access message or redirect here";

exit;
}

you can add to this and parse the refer so the page can only be called from you site.

// this parse's into the following: $url["scheme"], $url["host"], $url["path"]
$url = parse_url($HTTP_REFERER);

//$url["host"] could be in uppercase so.. new var to lower
$check=strtolower($url["host"]);

if ($check!='yoursite.com')
{
echo "you can't access message or redirect here";

exit;
}

experiment with this...

Anon

I use the following as an include in every page of a site (this requires php4 and a user_tbl with id, login_name, and password fields). You could also add crypting to the password to secure it.

-- begin snip ---
<?php
/
File: auth.inc.php
Description: prompts user for http authentication and checks
input against MySQL

/

$auth="false";
session_start();
while ($auth=="false")
{
if (!isset($PHP_AUTH_USER))
{
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="Secure Area"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
} else {
$server = "localhost";
$database = "dbname";
$dbuser = "dbuser";
$dbpassword = "password";
$conn=mysql_connect($server, $dbuser, $dbpassword);
mysql_select_db($database);
$password=$PHP_AUTH_PW;
// Formulate the query
$sql = "SELECT
FROM user_tbl
WHERE
login_name = '$PHP_AUTH_USER' AND
password = '$password'";
// Execute the query and put results in $result
$result = mysql_query( $sql );
// Get number of rows in $result.
$num = mysql_numrows( $result );
if ( $num != 0 )
{
/ echo "<P>You have entered this username: $PHP_AUTH_USER<br>
You have entered this password: $PHP_AUTH_PW<br>"; */
$auth="true";
$login_name=$PHP_AUTH_USER;
session_register(auth);
session_register(login_name);
} else {
// if we don't unset the $PHP_AUTH_USER variable we will while loop forever
unset ($PHP_AUTH_USER);
}
}
}

-- end snip ---

Brian Snipes

Chess wrote:

If I want to have a login.php
thang..
And you need to login in order
to get to a specific page.

I can do this..
However, if a person knows the
direct name of this as called
"secured php file".
Then he can just simply
go through my login page
and direct to that page.

What script shall I put on
my "secured" page in order to
let noone go around my login page?

/Chess