can someone help me with this please?

tremendous

i would like to make a php page where the user (only one user ever) can edit two different text files which are on the server.
he will go to the page and type a username and password, and then the present contents of the files will be displayed in two big text fields.
he can then edit either or both, and click on submit, and then they will both be saved in a format which Flash can then load.
only problem is, i haven't got a clue where to start.
it will help of course that there will only ever be one username and password

any help appreciated!
thanks a lot
-bart

ir4z0r

rough structure in 1 file

<?PHP

  switch($_POST['action'])
  {
    case "edit": if ($_POST['passwd'] == "secret")
                 {
                   echo "<html> ... // display the form with the textboxes, read the files and fill them
                   // use a hidden form field named "action", value="save"
                 }
                 else echo "Pw incorrect";
                 break;
    case "save": // save the files, display "done"
                  break;
    default: echo "<html> ... // echo login form with password field
            // and hidden "action"-field, value="edit"
   }

?>

tremendous

if some random manages to find this page, and does view source, will he see the password? or is it fairly secure?

Blob

PHP is server-side, so you'd only see the html if you did view source. But they may be able to download it, you should always encrypt and keep passwords in a database.

I believe ir4z0r only showing an example. 😛

tremendous

😢 so complicated!

tremendous

ok i got it working (haven't attempted putting in the whole main editing page yet though) with the password in the php source - what's a really simple way to get the php page to check the entered password against a database? i can make databases easy, so that's not a problem
please make it easy to understand!!

Blob

Urgh.. Well if your database has ID, Username, Password (encrypt this when they register(turn it into some strange text like 012121211213012121/dfd) and NEVER decrypt it. To check it, you'd encrpyt the entered pass, and compare it - not decrypt the real pass. Encrypt with $password = md5($password); when they register - before adding it to the db)...

<html><head><title>LOG IN</title></head>
<body>
<form method="post" action="whatever.php">
<input type=text name=username>
<input type=text name=password>
</body>
</html>

<?php 
if(!($link_id = mysql_connect($Host, $User, $Pass))) die(mysql_erorr()); 
mysql_select_db($DB); 

//Log in part

$sql = "SELECT ID FROM " . $Table . " WHERE Name='" . addslashes($_POST['username']) . "' AND Password='" . md5($_POST['password']) . "' LIMIT 1"; 
if(!($result = mysql_query($sql))) die(mysql_error()); 

// If one row - info was correct, they logged in. so passwords matched.

if(mysql_num_rows($result) == 1) { 
// Set cookie saying user logged in | last for a day
    setcookie("LoggedIn, TRUE, time()+(3600 * 24));
} else { 
    echo "Login failed"; 
}

<?
// Members page
if(!isset($_COOKIE['LoggedIn'])) die("You are not logged in!");
// Put textbox stuff here

Sorry, I'm in a rush. I hope there wasn't any typos, try that.

ir4z0r

another way to have a secure password is a .htaccess file, info here:

http://javascriptkit.com/howto/htaccess10.shtml

(I really think there's no way to get the PHP source from outside the
server anyway)