Password protecting a page

Forum Moderators: coopster

Message Too Old, No Replies

Password protecting a page

sctsree

5:30 pm on Nov 15, 2009 (gmt 0)

I have a page 1.php which has to be password protected.

I have the code for the form which connects with the page containing the data.

what should be the code for 2.php so that it allows a user to get redirected to 3.php if he inputs "ABCDE" in the field?

jman11

6:03 am on Nov 16, 2009 (gmt 0)

you will want to take security into mind in this because its very insecure but heres the basic idea:


<?php
if(isset($_POST['submit'])) {
if($_POST['textfield'] == 'ABCDE') {
header("Location: 3.php");
}else {
echo 'Wrong username';
}
}?><form action="2.php" method="post">
<input type="password" name="textfield">
<input type="submit" name="submit" />
</form>

TheMadScientist

7:43 am on Nov 16, 2009 (gmt 0)

WRT Security,

You should (at the very least):
1.) Hash the password when storing it in a DB for later retrieval.

2.) Hash the password entered by the visitor attempting to login.
(I use JS to do this 'on the fly' sometimes, so the real password is not ever POSTed through the form.)

3.) Select the hashed password from the DataBase and compare it to the hash of the visitor entered password.

Using and modifying the code posted above:


<?php 
if(isset($_POST['submit']) && isset($_POST['textfield']) && !empty($_POST['textfield'])) {  /* Connect to DB and retrieve hashed value here */ 
 if($database['password']===$_POST['textfield']) { 
  header("Location: 3.php"); 
 } else { 
  echo 'Wrong username'; 
 } 
} 
?>

You will probably need to actually attempt to select the hashed value from the database since I don't see anywhere to enter a user name to select by, which is not very efficient, and if you are only using a single password the hashed value could be hard-coded into the page as ABCDE is above, but hashing and using user names is standard practice.

To attempt to select from the DB you could do something like this:


<?php 
if(isset($_POST['submit']) && isset($_POST['textfield']) && !empty($_POST['textfield'])) { 
  
 $FindPassword=mysql_real_escape_string($_POST['textfield']); 
 $sql="SELECT password FROM table WHERE password='".$FindPassword."' 
 $query=mysql_query($sql); 
  
 if(!$result=mysql_fetch_array($query)) { 
  echo 'Wrong User Name'; 
 } else { 
  header("Location: 3.php"); 
 } 
} 
?>

* Note the reversal of the if and else above.

rocknbil

10:52 pm on Nov 16, 2009 (gmt 0)

As mentioned, "protecting resources" is a bit more complex than a simple redirect.

What's to stop me from bookmarking the URL "3.php", or sending the link to someone, or even, if you have a file naming structure like this, just guessing that "3.php" is the "protected" file?

There are a couple ways to do this so it's truly "protected". Using the previous examples, you don't have a 3.php file. Put your "protected content" where the header is.

if ($authenticated) {
echo "$protectedContent";
}

The other is to dispense with a PHP solution, and use a combination of .htaccess and auth-user methods with .htpasswd, but this is usually a single password unless you have programming to build the .htapsswd on the fly. In any case, that's more complex than method A.

A third is to do exactly what's posted above, with one exception. Once authorized, set a cookie or PHP session ID that is some random and unique string. When 3.php loads, check for this value, if it's not present, do a location back to 2.php.

There are much stronger methods than any of the three I've mentioned, Google around for them and you'll find some real guru approaches out there.