[RESOLVED] Help with securing php files from people who aren't logged in

fearfx

OK I have a members section I am developing.

For the life of my I cannot figure out how to secure my php files so if someone knows the direct URL they can't access the page with out being logged in

In my members section I have links like this:
cp/index.php?act=event_manager

but someone could type in:
cp/act/event_manager.php

Then they would have access to that page.
Now I can't figure out what code is needed to verify that someone is logged in without messing up the application it self.

This is how it works.

mywebsite.com/cp/index.php -->
This file checks if the user is logged in or not. if not redirected to login.php if logged in executes their control panel options.

index.php

 -->
[code=php]<?php

  $auth = false;

  require '../lib/mysqlvars.php';
  require '../lib/init.php';
  require '../lib/db.php';

  session_start('MEMBERS');

  $dbConn = connectDB($dbHost, $dbUser, $dbPass, $dbDB);
  if (!$dbConn) {
	die('Database is currently down...please try again later');
  }

  require 'lib/secure_page.php';

ob_start();

// Error Reporting
error_reporting(E_ALL ^ E_NOTICE);

// Include: Configuration file
$include_config = @include('config.php');

// Include: Global Header 
$include_gh = @include('lib/global_header.php');

if ($auth = true)
{
    $result = mysql_query("SELECT id FROM members WHERE username = '" . addslashes($_SESSION['username']) . "'" ) or die(mysql_error()); 
    $id = mysql_fetch_array( $result );

$include_main = @include('lib/main.php');
}


// Include: Site footer
$include_footer = @include('lib/footer.php');
if (!$include_footer) {
	echo '<b style="color: red;">Error:</b> footer.php missing!';
	exit('<p><b style="color: red;">Code:</b> <u>0008</u></p>');
}

/* EOF! */
ob_end_flush();
?>

secure_page.php

 -->
[code=php]<?php

  // log out if no session or user deleted

  $auth = false;

  include ('hasher.php');

  if (($_SESSION['logged']) == 1)
  {
  if (isset($_SESSION['username']) && isset($_SESSION['email'])) {
	$result = mysql_query("SELECT COUNT(*) FROM members WHERE username = '" . addslashes($_SESSION['username']) . "'");
	if ($result) {
	  if ($frow = mysql_fetch_row($result)) {
		if ($frow[0] > 0) {
		  $auth = true;
		  $logged_in = '1';

	    define("HASH_PREFIX", "K1-");

			 $result = mysql_query("SELECT id FROM members WHERE username = '" . addslashes($_SESSION['username']) . "'" ) or die(mysql_error()); 
			 $id = mysql_fetch_array( $result );      

		 $original_string = $id['id'];                                                    
		 $no = new PasswordHasher();

	}
  }
}
  }
}
  if (!$auth) {
	if (isset($_SESSION)) {
	  while (list ($key, $val) = each ($_SESSION)) {
		session_unregister($key);
	  }
	  session_destroy();
	}
	header("Location: ../../userLogin.php");
	exit();

  }


?>

config.php

 -->
[code=php]<?php


$SQLconn = 'localhost:username:password:database';
list($hostname, $username, $password, $database) = explode(':', $SQLconn);

// MySQL Connection:
mysql_connect($hostname, $username, $password);
mysql_select_db($database);

// MySQL Charset Collation:
mysql_query("SET NAMES 'latin1'");
mysql_query("SET collation_connection = 'latin1_sweedish_ci'");

function top_navigation($message, $act, $home_link, $refresh_link, $back_link, $logout_link)
{
?>
<div style="margin-bottom: 8px;">
	<table cellspacing="1" border="0" cellpadding="0" width="100%" style="background-color: #CCCCCC;">
		<tr>
			<td align="left" valign="middle" class="TopNavy" style="padding-left: 6px; padding-right: 6px;">
				<span style="float: left; cursor: hand;" onClick="window.parent.document.location.href='index.php?act=<?php echo $act; ?>';"><?php echo $message; ?></span>
				<span style="float: right;">
					<?php if ($back_link) { ?><a href="javascript:history.back();">&laquo; Go Back</a> -<?php } ?>
					<?php if ($refresh_link) { ?><a href="javascript:window.location.reload(true);">Refresh This Page</a> -<?php } ?>
					<?php if ($home_link) { ?><a href="index.php">Home</a> -<?php } ?>
					<?php if ($logout_link) { ?><a href="logout.php">Logout</a><?php } ?>
				</span>
			</td>
		</tr>
	</table>
</div>
<?php
}

// Random Keys
function randomkeys($length)
{
	$pattern = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";
	for($i=0;$i<$length;$i++) {
		$key .= $pattern{rand(0,35)};
	}
	return $key;
}
?>

main.php

 -->
[code=php]<?php

$include_act = @include('lib/act.php');
if (!$include_act) {
	echo '<b style="color: red;">Error:</b> act.php missing!';
	exit('<p><b style="color: red;">Error No:</b> <u>0002</u></p>');
}

?>

act.php

 -->
[code=php]
<div style="margin: 0px; padding: 8px; border: 1px solid #DDDDDD; background-color: #FFFFFF; width: 780px;">
	<div>
		<table cellspacing="0" border="0" cellpadding="0" width="100%">
			<tr>
				<td align="center" valign="top" nowrap>
					<?php include('lib/menu.php'); ?>
				</td>
				<td align="left" valign="top" width="100%" style="padding-left: 8px;">
					<?php
						if ($_GET['act']) {
							$include = 'act/' . $_GET['act'] . '.php';
							$include_section = @include($include);
							if (!$include_section) {
								@include('lib/section_not_found.php');
							}
						} elseif ($_GET['act'] == 'home') {
							$include_section = @include('act/home.php');
							if (!$include_section) {
								@include('lib/section_not_found.php');
							}
						} else {
							$include_section = @include('act/home.php');
							if (!$include_section) {
								@include('lib/section_not_found.php');
							}
						}
					?>
				</td>
			</tr>
		</table>
	</div>
</div>

Ok I know there I posted a lot of code. But I think it is need to understand how my application works.

Any help with this would be greatly appreciated. Always trying to learn the correct ways of PHP Programming.

And Thanks again PHPBuilder.COM

Scriptmaker

The same check you do to see if a user is logged in can be added to the top of your individual .php files. Also, since the include files are in a separate lib directory, you can adjust the access to this folder.

Here's a good link about securing include files:
http://green-beast.com/blog/?p=144

And from here:
http://www.sitepoint.com/article/php-security-blunders

Place configuration files outside your Web-accessible directory. A configuration file can contain database passwords and other information that could be used by malicious users to penetrate or deface your site; never allow these files to be accessed by remote users. Use the PHP include function to include these files from a directory that's not Web-accessible, possibly including an .htaccess file containing "deny from all" just in case the directory is ever made Web-accessible by adiminstrator error. Though this is redundant, layering security is a positive thing.

fearfx

yea Thats what I thought too.

but when I add this code:

  $auth = false;

  require '../lib/mysqlvars.php';
  require '../lib/init.php';
  require '../lib/db.php';

  session_start('MEMBERS');

  $dbConn = connectDB($dbHost, $dbUser, $dbPass, $dbDB);
  if (!$dbConn) {
	die('Database is currently down...please try again later');
  }

  require 'lib/secure_page.php';

the rest of the page doesn't execute.

I just get a blank page.