Newbie desp. requests help on creating PHP code to access password protected page

alpha99

I have written the following HTML/PHP code to validate and provide access to a password protected page to users who are given the user ID and password through a separate e-mail. The required page, Articles.html, however does not load when the valid user ID and password is provided. Instead, the response is a blank page. Please help.

validate.php
<html>
<head>
<title>Login Authentication</title>
</head>
<body>
<?php

if (($POST["username"]=='cutedog')AND($POST["password"]=='puppy'))
{
header("Location: http://www.domain.com/Articles.html");
exit();

}
else
{

echo "Login denied to the page - Articles.html";

}
?>
</body>
</html>

Does any other file need to be included for HEADER function to work? I currently do not have CGI or SSI active on my hosting account. I am using a following HTML form for the user to submit the user ID and password to access the password protected page.

Thora_Fan

Although I'm not sure if this is it or not, in my experience, all Header() information must be sent to the browser prior to anything else.

validate.php 

if (($_POST["username"]=='cutedog') && ($_POST["password"]=='puppy')) 
{ 
   header("Location: [url]http://www.domain.com/Articles.html[/url]"); 
   exit(); 
} 

<html> 
<head> 
<title>Login Authentication</title> 
</head> 
<body> 
Login denied to the page - Articles.html
</body> 
</html>

Also, make sure that the form variables $POST["username"] and $POST["password"] are correctly initialized and case sensitive.

keith73

you do realize, however, that people can still go to Articles.html without the userid and password. you're php script should perhaps include articles.html from another directory that is htaccess protected.

keith

alpha99

Thanks very much for your replies. With your suggestions, I now have the code fixed and it is working.

Regarding security for this approach, how do folks get to the password? Can they make PHP code visible through Internet Explorer's "View Source" option?

Also, what is "htaccess protection"? Can you please suggest some good tutorials/articles on coding htaccess protection?

Thanks much!

Thora_Fan

Basically, to create a relativley protected PHP page use sessions.

For example:

index.html has your form where the user enters in the username and password.

The form information gets sent to login.php. At the top of this page, you first start a session, then have your code which checks to see if the username and password matches. If so, you add a variable to your session, say <b>$_SESSION["LoggedIn"] = True;</b> or something similar. If not, then redirect them to a page that tells them the login was false.

On top of every page that login.php would link to, write some code that first starts the session (or in this case, continues it) then checks to see if $_SESSION["LoggedIn"] is true. If it's not true, then redirect the user to a page which informs them they need to log in.

For more infomration regarding sessions, check out http://www.php.net/manual/en/ref.session.php

alpha99

<SIZE=3>Thanks for the guidance.</SIZE>