Password protect php pages

wendystewart80

Hi there,
I am trying to password a searchable website which has php pages. I used the following tutorial for login/password code:
http://php.codenewbie.com/articles/php/1482/Login_With_Sessions-Page_1.html
This is the login page:

<? 
// Login & Session example by sde 
// auth.php 

// start session 
session_start(); 

// convert username and password from _POST or _SESSION 
if($_POST){ 
  $_SESSION['username']=$_POST["username"]; 
  $_SESSION['password']=$_POST["password"];   

} 

// query for a user/pass match 
$result=mysql_query("select * from users 
  where username='" . $_SESSION['username'] . "' and password='" . $_SESSION['password'] . "'"); 

// retrieve number of rows resulted 
$num=mysql_num_rows($result); 

// print login form and exit if failed. 
if($num < 1){ 
  echo "You are not authenticated.  Please login.<br><br> 

  <form method=POST action=index.php> 
  username: <input type=text name=\"username\"> 
  password: <input type=password name=\"password\"> 
  <input type=submit> 
  </form>"; 

  exit; 
} 
?>

And this is a sample page:

<? 
// Login & Session example by sde 
// link_1.php 

// connect to database 
include("inc/connect.php"); 

// include auth and nav 
include("inc/auth.php"); 

// begin content 
include("inc/nav.php"); 

echo "This is my Link 1."; 

// close mysql connection 
mysql_close(); 
?>

For my page to be password protected it has to go within the echo""; but I cannot put php code here, therefore I can't password protect my php pages with this code.

Any suggestions of how to get around this?
Many thanks
Wendy

lazzerous

So you really haven't done any reading on PHP at all and you want a difinitive answer to your problem..

I'm gonna throw out a RTFM as to why you can't put PHP code within the quotes of an echo statement, which in itself, IS PHP code.

ddt999

I tried a different way to restrict the access to my php pages.

I use a session variable like: $_SESSION['islogged'] - which is set to 1 if the client logs in correctly at the main login page or is 0 if the client hasnt tried to login.

My auth.php simply checks for this session variable, if it is 0 the client/user is redirected to the main login page with the associated message. If the value is 1 then the page is loaded.

Including this few-line file in each .php page is easy and better for performance in comparrison to having each page first check via mysql_query statements if the person is allowed to view the page.

It may not be perfect but perhaps this alternative will help in getting the best solution for you. 😃

Roger_Ramjet

Got yourself a bit confused here Wendy. You just need to include auth.php at the top of any page that you want to protect. You can then write code or include any scripts and html that you fancy, it will never get to it if the user is not logged in.

halojoy

ddt999 wrote:
I tried a different way to restrict the access to my php pages.

I use a session variable like: $_SESSION['islogged'] - which is set to 1 if the client logs in correctly at the main login page or is 0 if the client hasnt tried to login.

My auth.php simply checks for this session variable, if it is 0 the client/user is redirected to the main login page with the associated message. If the value is 1 then the page is loaded.

Including this few-line file in each .php page is easy and better for performance in comparrison to having each page first check via mysql_query statements if the person is allowed to view the page.

It may not be perfect but perhaps this alternative will help in getting the best solution for you. 😃

The above is a prefered method.

index.php - offer a link to 'login.php' with something like the script you have in your auth.php

in index.php a menu to other pages that are protected

protected page has one row at top

<?php include 'check.php'; ?>

// protected contents
// of any page

The 'check.php'

<?php

session_start();
if(!isset($_SESSION['username'])){
header ( 'location:index.php' );
exit;
}

?>

Roger_Ramjet

halojoy wrote:
The above is a prefered method.

No it's not - well it's YOUR prefered method. 🆒

Just checking to see if a session var called $_SESSION['username'] exists is pretty poor security. It could contain anything. At a minimum you should be checking to see if it actually contains something that could be a username.

Personally I validate username and password against the database EVERY page. The overhead is not noticeable, and I use a shared server. The security include does all the things that my script is going to need anyway like start session and connect to the db - the things that will take time and resources. Once those are done then running a simple select query against a small users table (unless you are going to have 100,000 users) adds very little.

halojoy

-> No it's not - well it's YOUR prefered method.

-> Just checking to see if a session var called $_SESSION['username'] exists is pretty poor security.

correction.
it looks that at least 2 people in only this topic
thinks it is a good enough
which should make it many other, too

for most personal homepages with a limited number of users
I also think it will do nicely
for increased security we could add several session variables
that should match

now if you run a big business, a bank, a military or a governement website
surely it is a very bad way to protect pages
those into such security needs are probably not lerning
to write php here
they have professional applications and programmers
to do their stuff

but very few of us are into such serious stuff
and for most it wouldnt be the end of world if a page was read

and think the chance anyone would bother to try
and should manage to make a successful break in
in a simple session check
is not very high

I wouldnt worry too much

🙂