Checking The Caller

eggmanblue

I'm a complete newbie. This is what I want to do. I've got a password protected members only site that I want to add a link to a bulletin board to. To only allow members that are logged into my site to access the board, I wanted to check the page of the calling script. If it is my members only area, then I would allow access, otherwise I would deny. I looked at using http_referer but am reading that it is unreliable.

Can someone throw me a code fragment or point me in the right direction? Many thanks.

hermand

Create a login script, which uses cookies. If the username password combo is wrong, it shows a form if its correct it does nothing so

if($correct){
//Do nada
}else{
//Show form
exit;
}
?>

then you include that to every page you want protecting. If the user isn't a member/isn't logged in, they get the form. If they're logged in, they get the page.
Yeah?

hermand

I had some code on here, somewhere. I'll fish it out.

hermand

Uses MySQL - you should get the idea:


<?php
//Created by Daniel Herman

//=========
//=MYSQL Details=
//=========

// The location of your Database - usually localhost
$dbServer = "localhost";

// The database username
$dbUserName = "hermand";

// The database password
$dbPassword = "";

// The database name
$dbDatabase = "hermand";

// Connect to the database.

$db = mysql_connect($dbServer, $dbUserName, $dbPassword) or die(mysql_error());
mysql_select_db($dbDatabase, $db) or die(mysql_error());

//Define variables from the submitted form (If the form hasn't been submitted, these will be blank)

$pword = $HTTP_POST_VARS['pword'];
$uname = $HTTP_POST_VARS['uname'];

//Md5 the password, encryption method - delete this line if you dont want encryption

$pword = md5($pword);

// If the username hasn't been defined, get it from the cookie

if(!$uname){
 $uname = $HTTP_COOKIE_VARS['login_uname'];
 $pword = $HTTP_COOKIE_VARS['login_pword'];
}else {

// Othewise (Ie if the form was submitted) add the cookie and create an error message

$error = "Could not verify password / username";
$ses_uname = $uname ;
$ses_pword = $pword;
setcookie ("login_uname", $ses_uname,time()+(3600*168));
setcookie ("login_pword", $ses_pword,time()+(3600*168));
}

// Run the query

$query = "SELECT * FROM members where uname = '$uname' 
and pword = '$pword' ";
$result = mysql_query($query, $db) or die(mysql_error());
$numRows = mysql_num_rows($result);
for ($count = 0; $count < $numRows; $count++) {
  $resultArray = mysql_fetch_array($result);
$cuname = $resultArray["uname"];
$cpword = $resultArray["pword"];
}

if (!$cuname){

$url = $REQUEST_URI;

?>

<form method=POST action="<?php echo $url; ?>">
<br>
<b>Please Login:</b><br>   

<input name="form_action" type="hidden" value="<?php echo $action; ?>">
   <br>
   <table>
  <tr>
    <td>Username:</td><td class="shownews"><input name="uname" type="text" size="20" tabindex="1"></td>
    </tr>
  <tr>
    <td>Password:</td><td class="shownews"><input name="pword" type="password" size="20" tabindex="2"></td>

  </tr>
    <tr>
  <td></td><td><input type="submit" name="submit" value="Log In" tabindex="4"> <input type="reset" name="reset" value="Clear Form" tabindex="5"></td></tr>

<tr>
<td colspan="2"><b><?php echo $error ?></b></td></tr>


</table>
</form>

<?php

//Exit the file, so that the passworded page isn't displayed
exit;
}else{
echo " ";
}
?>