Hi all,

I'm using the script phpSecurePage to protect the extranet pages of our site.
The fact is: Users need to access the extranet in two ways:
- Directly from another protected site
- Logging through a login screen (the phpSecurePage script).

If the user access from the login screen, as soon has the protected page is called, the login screen is displayed and he must insert the login details. The login page is not the windows one, but is a php page with a form. If the data are correct, then the page called is displayed. (no probs here, as the script works really well...)

If the user access the Extranet directly from the other protected site, clicking the link some values must be passed through in order to access the right page.

The script that protect the page is on top of the page and is :

<?PHP
$requiredUserLevel = array(4);
$cfgProgDir = 'phpSecurePages/';
include($cfgProgDir . "secure.php");
?>

This one calls the page secure.php that contains the configuration datas, and in the file is invoked checklogin.php from which the login screen (interface.php) in displayed. Here's the page checklogin.php:

<?PHP
// loading functions and libraries
function random($max) {
// create random number between 0 and $max
srand( (double)microtime() * 1000000 );
$r = round(rand(0, $max));
if ($r != 0) $r = $r - 1;
return $r;
}

function rotateBg() {
// rotate background login interface
global $backgrounds, $bgImage, $i;
$c = count($backgrounds);
if ($c == 0) return;
$r = random($c);
if ($backgrounds[$r] == '' && $i < 10) {
$i++;
rotateBg();
} elseif ($i >= 10) {
if (!$bgImage || $bgImage == '') {
$bgImage = 'bg_lock.gif';
} else {
$bgImage = $bgImage;
} }
else { $bgImage = $backgrounds[$r]; }
return $bgImage;
}

function in_array_php3($needle, $haystack) {
// check if the value of $needle exist in array $haystack
// works for both php3 and php4
if ($needle && $haystack) {
if (phpversion() >= 4) {
// phpversion = 4
return(in_array($needle, $haystack));
} else {
// phpversion = 3
for ($i = 0; $i <= count($haystack); $i++) {
if ($haystack[$i] == $needle) {
return(true);
} }
return(false);
} }
else return(false);
}

if ($noDetailedMessages == true) {
$strUserNotExist = $strUserNotAllowed = $strPwNotFound = $strPwFalse = $strNoPassword = $strNoAccess;
}
if ($bgRotate == true) {
$i = 0;
$bgImage = rotateBg();
}

// Check if secure.php has been loaded correctly
if ( !defined("LOADED_PROPERLY") || $HTTP_GET_VARS['cfgProgDir'] || $HTTP_POST_VARS['cfgProgDir']) {
echo "Parsing of phpSecurePages has been halted!";
exit();
}

// make post variables global
$entered_login = $HTTP_POST_VARS['entered_login'];
$entered_password = $HTTP_POST_VARS['entered_password'];

// check if login is necesary
if (!$entered_login && !$entered_password) {
// use data from session
if (phpversion() >= 4) {
// phpversion = 4
session_start();
// session hack to make sessions on old php4 versions work
if (phpversion() > 4.0) {
$login = $HTTP_SESSION_VARS['login'];
$password = $HTTP_SESSION_VARS['password'];
}
} else {
// phpversion = 3
session_start_php3();
} }
else {
// use entered data
if (phpversion() >= 4) {
// phpversion = 4
session_start();
session_unregister("login");
session_unregister("password");

	// encrypt entered login & password
	$login = $entered_login;
	if ($passwordEncryptedWithMD5 && function_exists(md5)) {
		$password = md5($entered_password);
	} else {
		$password = $entered_password;
	}
	// session hack to make sessions on old php4 versions work
	if (phpversion() > 4.0) {
		$HTTP_SESSION_VARS['login'] = $login;
		$HTTP_SESSION_VARS['password'] = $password;
	} else {
		session_register("login");
		session_register("password");
	}
} else {
	// phpversion = 3
	session_destroy_php3();
	session_start_php3();

	// encrypt entered login & password
	$login = $entered_login;
	if ($passwordEncryptedWithMD5 && function_exists(md5)) {
		$password = md5($entered_password);
	} else {
		$password = $entered_password;
	}
	session_register_php3("login", "STRING", $login);
	session_register_php3("password", "STRING", $password);

} }

if (!$login) {
// no login available
include($cfgProgDir . "interface.php");
exit;
}
if (!$password) {
// no password available
$message = $strNoPassword;
include($cfgProgDir . "interface.php");
exit;
}

// use phpSecurePages with Database
if ($useDatabase == true) {
// contact database
if ( empty($cfgServerPort) ) {
mysql_connect($cfgServerHost, $cfgServerUser, $cfgServerPassword)
or die($strNoConnection);
} else {
mysql_connect($cfgServerHost . ":" . $cfgServerPort, $cfgServerUser, $cfgServerPassword)
or die($strNoConnection);
}
$userQuery = mysql($cfgDbDatabase, "SELECT * FROM $cfgDbTableUsers WHERE $cfgDbLoginfield = '$login'")
or die($strNoDatabase);

// check user and password
if (mysql_num_rows($userQuery) != 0) {
	// user exist --> continue
	$userArray = mysql_fetch_array($userQuery);

	if ($login != $userArray[$cfgDbLoginfield]) {
		// Case sensative user not present in database
		$message = $strUserNotExist;

// include($cfgProgDir . "logout.php");
include($cfgProgDir . "interface.php");
exit;
} }
else {
// user not present in database
$message = $strUserNotExist;
// include($cfgProgDir . "logout.php");
include($cfgProgDir . "interface.php");
exit;
}
if (!$userArray[$cfgDbPasswordfield]) {
// password not present in database for this user
$message = $strPwNotFound;
include($cfgProgDir . "interface.php");
exit;
}
if (stripslashes($userArray["$cfgDbPasswordfield"]) != $password) {
// password is wrong
$message = $strPwFalse;
// include($cfgProgDir . "logout.php");
include($cfgProgDir . "interface.php");
exit;
}
if ( isset($userArray["$cfgDbUserLevelfield"]) && !empty($cfgDbUserLevelfield) ) {
$userLevel = stripslashes($userArray["$cfgDbUserLevelfield"]);
}
if ( ( $requiredUserLevel && !empty($requiredUserLevel[0]) ) || $minUserLevel ) {
// check for required user level and minimum user level
if ( !isset($userArray["$cfgDbUserLevelfield"]) ) {
// check if column (as entered in the configuration file) exist in database
$message = $strNoUserLevelColumn;
include($cfgProgDir . "interface.php");
exit;
}
if ( empty($cfgDbUserLevelfield) || ( !in_array_php3($userLevel, $requiredUserLevel) && ( !isset($minUserLevel) || empty($minUserLevel) || $userLevel < $minUserLevel ) ) ) {
// this user does not have the required user level
$message = $strUserNotAllowed;
include($cfgProgDir . "interface.php");
exit;
} }
if ( isset($userArray["$cfgDbUserIDfield"]) && !empty($cfgDbUserIDfield) ) {
$ID = stripslashes($userArray["$cfgDbUserIDfield"]);
} }

// use phpSecurePages with Data
elseif ($useData == true && $useDatabase != true) {
$numLogin = count($cfgLogin);
$userFound = false;
// check all the data input
for ($i = 1; $i <= $numLogin; $i++) {
if ($cfgLogin[$i] != '' && $cfgLogin[$i] == $login) {
// user found --> check password
if ($cfgPassword[$i] == '' || $cfgPassword[$i] != $password) {
// password is wrong
$message = $strPwFalse;
include($cfgProgDir . "logout.php");
include($cfgProgDir . "interface.php");
exit;
}
$userFound = true;
$userNr = $i;
} }
if ($userFound == false) {
// user is wrong
$message = $strUserNotExist;
include($cfgProgDir . "logout.php");
include($cfgProgDir . "interface.php");
exit;
}
$userLevel = $cfgUserLevel[$userNr];
if ( ( $requiredUserLevel && !empty($requiredUserLevel[0]) ) || $minUserLevel ) {
// check for required user level and minimum user level
if ( !in_array_php3($userLevel, $requiredUserLevel) && ( !isset($minUserLevel) || empty($minUserLevel) || $userLevel < $minUserLevel ) ) {
// this user does not have the required user level
$message = $strUserNotAllowed;
include($cfgProgDir . "interface.php");
exit;
} }
$ID = $cfgUserID[$userNr];
}

// neither of the two data inputs was chosen
else {
$message = $strNoDataMethod;
include($cfgProgDir . "interface.php");
exit;
}

// restore values
if ($dbOld) $db = $dbOld;
if ($messageOld) $message = $messageOld;
?>

In my opinion, to pass the variables that came from a link (that will be something like http://www.thesite.com/extranet/index145.php?login=xxxxx&password=xxxxxx) i should add some lines of code to this part in the above script:

if (!$login) {
// no login available
include($cfgProgDir . "interface.php");
exit;
}
if (!$password) {
// no password available
$message = $strNoPassword;
include($cfgProgDir . "interface.php");
exit;
}

But how? Please, ask me for more info if not clear.... Thanks a lot for the angel that will help me... I don't ask you to write my code, but give me a hint to do it...

    You could make this a form button and submit the values that way - you could also use javascript to have a link submit the form

      Thanks MistryMaster,
      Yes, submitting as a form should be ok, but the problem is how the whole script works... i try to tell you:

      • You click the link to the index.php of the extranet.
      • The site where you are clicking from is attaching two variables to sign in the extranet (depending on the variables different pages will be displayed).
      • The index page protected invokes a configuration file in php (no changes neede on this one, as it is only for Database connection and so on)
      • This config file invokes another page (checklogin.php - Code in the previous post)
      • I went through the code, and it does a check to see if the data are correct. If not, the login screen is displayed. The login screen is another page, interface.php, that contains the two fields and must be filled automatically passing the variables collected from the previous site. Note that this page is displayed while in the address bar you see the full path to the index.php, not the interface.php.

      I think the easiest is to add some lines of code, defining the variable name contained in the link.

      So what i'm trying now is to build the string with some "echo" tags to see if it works what i get...

      Am i going too far? Is not fine to add this line to the existing code in checklogin.php? If you think is doable, i can reply with a first draft of it, and you can check...

      Thanks a million!!

        yeah you should be okay but if you are passing any login information then I would use post that way you don't see the information in the url

          Originally posted by mystrymaster
          yeah you should be okay but if you are passing any login information then I would use post that way you don't see the information in the url

          I would recomend post over a secure connection for log in information otherwise it's still just plain text in the packets.

            Write a Reply...