Password protection

Anon

Hi!

I would like to password-protect some of my php-pages. Is it possible for me to password-protect a directory on the server (I don´t admin the server) or, if that´s not possible, protect the pages in another way. I want it to pop up that the user has to fill in user and password to access the page. There will only be one account that I wan´t to access the page.

I hope you understand what I mean. My english is bad...

plutoplanet

Hi Jessica,

You could do someting like this:

Let's say you have a FORM on your first page (index.php):

if ($llx=="member") {
include ("adminMain.inc");
// see below

} else {
if ($submit=="login") {
include ("adminChkLogin.inc");
} else {
echo ("<P><P><P><center><table width=200><TR><td width=200 bgcolor=#ef8fd4>");
echo ("<form action=admin.php method=post>");
echo ("login<BR>");
echo ("<input type=text name=login size=10 maxlength=10><BR>");
echo ("password<BR>");
echo ("<input type=password name=passwd size=10 maxlength=10><BR>");
echo ("<input type=submit name=submit value=login>");
echo ("</TD></TR></TABLE></CENTER>");
echo ("</FORM>");
}
}
?>

Here is the File which checks the password:
filname: adminChkLogin.inc

mysql_pconnect(host,user,password);
mysql_select_db(yourdatabase);
if (empty($login)) {
echo ("<p>Login field was empty");
}

elseif (empty($passwd)) {
    echo ("<p>Password field was empty");
}

else {

// if you don't run mysql cut from here ...
$chkLogin=mysql_query("SELECT * FROM user WHERE usrLogin='$login'") or die ("database error");
if ($clrow=mysql_fetch_array($chkLogin)) {

        if (ereg($clrow[usrPasswd],$passwd))

// ...and here and uncomment the next line
/*

if (($passwd=="yourpassword") && ($login=="yourlogin"))

{
$llx=member;

            include ("adminMain.inc");

        }

        else {
            echo ("<p>ERROR");
        }

    }

    else {
        echo ("<p>ERROR");
    }


}

for this example you'll need a mysql database:
create table user (
usrId integer not null default '0' auto_increment,
usrLogin varchar(10) not null,
usrPasswd varchar(10) not null,
primary key (usrId));

I think this should work (although I didn't test it...)

lyonhaert

Not to undermine your suggestion, Herwig (i use user identification like that in certain areas), but for blanket protecting a director you can use an .htaccess file.

[BEGIN: .htaccess]
Authname "Authorized Users Only"
Authtype Basic
AuthUserFile /path/to/.htpasswdfile
AuthGroupFile /dev/null
require valid-user

[END: .htaccess]

the .htaccess file goes in the directory you wish to be passworded.

[BEGIN: .htpasswdfile]
username:wYuqVe.Nx/ArQ
[END: .htpasswdfile]

the format for every line is thus:
username:encryptedpass

i use the cryptPass() function of class.htpasswd.php3 from www.thewebmasters.net to make the encrypted passwords. the same class can be used to manage the .htpasswdfile as well. however, there are plenty of little pages around that'll do the same encryption for you. i like to do it myself because i'm cautious (aka, paranoid).

now when you try to get to anything in the directory where the .htaccess file is, you will be prompted for username and password. any incorrect login will only net the user a 401 Authorization Required page

teamohio

I use simply use the solution that Herwig uses and every page after that initial page you simply place the

session_start();

at the top of every page and that page is then only accessible when the user logs in and if the user accesses the page by the URl and there is no "session id", it simply returns a page with no information populated.

I use this to protect the pages of a very large long distance company and thus far has not been "hackable".

Good luck!

jim

Anon

Hi Lyon,

I would prefer the way with .htaccess, too. But Jessica was looking for something easy where she doesn't have to work around with protecting directories with e.g. .htaccess files.
However, the way you explained seems to be cool - I will try it.

Herwig

Anon

Thank you all but I still have problems...

I tried Lyons suggestion and made a .htaccess-file and all that. Didn´t work. So I tried Herwigs suggestion. Didn´t work.
Herwig: In your script it says:
"include ("adminMain.inc");"
And the "adminMain.inc" is also mentioned later on in the script. What is that? Is it a file I should have created?

Anon

hi there,
i just a little confuse here.
i managed to create those 2 files
.htaccess and .htpasswdfile
and where i should put those 2 files? in my directory which i should protect?

do i have to change the script inside .htaccess file for example the directory i want to protect is "documents"
or just leave it like the way u wrote?

and another word, after copying those file.
when we access in the directory it's the screen will asking abt username ?