|
PHP - Password Protect All Web Pages?
I'm not sure if this is a php or Apache question but here goes anyways. I have my Apache web server set up so I can access it from anywhere which obviously means anyone else can access it too. I have my index page which is basically a menu for the site password protected with a simple php script. The problem is the index.php password page can be bypassed by just typing the name or path of any of the pages on the site. I don't want to have to password protect or enter a session variable onto every page. Is there a practical way to make it where no page can be accessed without being routed from the index.php page ? Similar TutorialsHi, I have the following code: Code: [Select] <?php $cmd = $_GET['cmd']; if($cmd=="") { $cmd = "adminlogin";} // This creates the header for each of the installation pages switch($cmd) { // This is the installation agreement page case "adminlogin": print <<<LOGIN <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Member Site Maker 1.0</title> <link rel="stylesheet" href="style.css" type="text/css" /> </head> <body> <div id="head" align="center"> <h1 id="siteName">Member Site Maker </h1> <br /> <table align="center" border="0" bgcolor="#CCCCCC"> <tr> <td align="center"><span class=style1><b>ADMIN LOGIN</b></span></td> </tr> <tr> <td> <form action=admin.php?cmd=manage method=POST> Password: <input type=text name=password1> </td> </tr> <tr> <td> <input type=submit name=submit value=Submit> </td> </tr> </table> </form> LOGIN; break; // Managing Users case "manage": include_once("header.html"); include_once("data/password.php"); $password1 = $_POST['password1']; $password2 = base64_decode($password); if ($password1 != $password2) { print <<<BADLOGIN <table width=953 border=1 align=center bgcolor=#00CCFF> <tr> <td><span class=style1><b><center>Failed Login</center></b></span></td> </tr> <tr> <td><span class=style2>Your passwords do not match. Please go back and correct this error</td> </tr> </table> BADLOGIN; } else { echo <<<MANAGE <!--end navBar2 div --> <div id="navBar2"> <div id="sectionLinks"> <ul> <li><a href="admin.php?cmd=manage&password1=$password1">Manage</a></li> <li><a href="admin.php?cmd=dashboard&password1=$password1">Dashboard</a></li> <li><a href="admin.php?cmd=approval&password1=$password1">Approval</a></li> <li><a href="admin.php?cmd=msgcentre&password1=$password1">Message Center</a></li> <li><a href="admin.php?cmd=logins&password1=$password1">Logins</a></li> </ul> </div> </div> <!--end navBar2 div --> <div id="content"> <div class="story"> <table width="100%" border="0"> <tr> <td bgcolor="#99FF66"><div align="center"><span class="style3">Login</span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Name</span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Last Visited </span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Registration Date </span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Reset Password </span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Delete</span></div></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> </tr> </table> <h3> </h3> </div> </div> <!--end content --> MANAGE; } break; case "dashboard": break; case "approval": break; This works fine for when viewing the admin.php, I am asked for a password and then it compares the password against the encoded password before displaying the manage page. However this does not stop someone typing http://www.mysite.com/folder/admin.php?cmd=dashboard If they do that, it skips the password form and password check, and they can then go ahead and do whatever in the admin.php file. How can I prevent this, so that a password check is automatically done before allowing somebody to view the page? I have tried adding the code I used in the manage section, but it doesnt work again. Any help will be greatly appreciated, I been trying to work it out all day and run out of ideas. Many Thanks Hey, nooby here I am looking for a PHP solution for password protect pages. I have successfully implemented this code which check a user name and password to grant access. The problem is that each user needs a different (password protected) page. What I would like to do is take it a step further and have each user directed to a specific page. visitor1 => www.mysite.com/visitor1.com visitor2 => www.mysite.com/visitor2.com Since I am not going to have anymore than three users I don't want the complication of a database and keep everything PHP. Any idea please? Cheers, This is the login page:
<?php
$LOGIN_INFORMATION = array(
'visitor1' => 'password1',
'visitor2' => 'password2'
);
define('USE_USERNAME', true);
define('LOGOUT_URL', 'http://www.mysite.com/logout.php');
define('TIMEOUT_MINUTES', 0);
define('TIMEOUT_CHECK_ACTIVITY', true);
if(isset($_GET['help'])) {
die('Include following code into every page you would like to protect, at the very beginning (first line):<br><?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?>');
}
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);
if(isset($_GET['logout'])) {
setcookie("verify", '', $timeout, '/'); // clear password;
header('Location: ' . LOGOUT_URL);
exit();
}
if(!function_exists('showLoginPasswordProtect')) {
function showLoginPasswordProtect($error_msg) {
?>
<!DOCTYPE HTML>
<html>
<head>
</head>
<body class="loading">
<div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
<form method="post">
<p>Please enter password</p><br />
<font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
<input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Submit" />
</form>
</div>
</body>
</html>
<?php
die();
}
}
if (isset($_POST['access_password'])) {
$login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
$pass = $_POST['access_password'];
if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
|| (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) )
) {
showLoginPasswordProtect("Incorrect password.");
}
else {
setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
unset($_POST['access_login']);
unset($_POST['access_password']);
unset($_POST['Submit']);
}
}
else {
if (!isset($_COOKIE['verify'])) {
showLoginPasswordProtect("");
}
$found = false;
foreach($LOGIN_INFORMATION as $key=>$val) {
$lp = (USE_USERNAME ? $key : '') .'%'.$val;
if ($_COOKIE['verify'] == md5($lp)) {
$found = true;
// prolong timeout
if (TIMEOUT_CHECK_ACTIVITY) {
setcookie("verify", md5($lp), $timeout, '/');
}
break;
}
}
if (!$found) {
showLoginPasswordProtect("");
}
}
?>
And here is the code I used at the top of each protected page:
<?php include("/home/user/public_html/clients/login.php"); ?>[/code]
hi all i have a code that i am trying to password to protect my webpage and i cant seen to get it to coonect to mysql DB. here is the code $c_username = "root"; $c_password = "Steph1989"; $c_host = "localhost"; $c_database = "eclipse_media"; // Connect. $connection = mysql_connect($c_host, $c_username, $c_password) or die ("It seems this site's database isn't responding."); mysql_select_db($c_database) or die ("It seems this site's database isn't responding."); Hello, I just joined today! I am very new to php, I'm sure you'll be able to tell I created a 'members area only' thanks to some awesome online tutorials!! The only part that isn't working is the page protection for the 'members only area'. I am using $_SESSION and ISSET, but wonder why page shows when the address to the protected page is typed directly in, (no session should exist) if I understand correctly ... Any help will be wonderful, I really can't do this on my own yet. I have tried many different combinations, I may have them all mixed together by now. Currently, I have this code to the top of the page I am trying to protect ... <? ob_start(); session_start(); //The users login details should be stored either in the post array or session array so we pull those login credentials $username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username']; $password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password']; //if no username session variable exists, redirect user: if(!isset($username)) { header("Location: login_form.php"); } ?> <html> <head> </head> <body> <p> This is the members only area</p> </body> </html> I have a problem w/ a widely used password protect php code. I use a business directory program that allows custom input fields. I'm using this code to password protect a business listing page in my directory code. I created custom fields for the username & password so a listing can enter their own user/pass but when I test it it won't work when I'm calling/echoing the fields. When I hardcode it w/ a user/pass it works. Any ideas on how I should recode this?: Quote <?php // Define your username and password $username = "<?php echo $custom_74; ?>"; $password = "<?php echo $custom_16; ?>"; if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) { ?> <h1>Login</h1> <form name="form" method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>"> <p><label for="txtUsername">Username:</label> <br /><input type="text" title="Enter your Username" name="txtUsername" /></p> <p><label for="txtpassword">Password:</label> <br /><input type="password" title="Enter your password" name="txtPassword" /></p> <p><input type="submit" name="Submit" value="Login" /></p> </form> <?php } else { ?> I close the code correctly. <?php echo $custom_74; ?> & <?php echo $custom_16; ?> are just incidently my custom field echo codes. I have over 150 custom fields working fine for user/listee options. The password protect code won't accept echos it seems as coded above. Thanks, Gene This topic has been moved to Apache HTTP Server. http://www.phpfreaks.com/forums/index.php?topic=358740.0 I'm trying to password protect and admin area but an included script, but it's not working very well. I've used this script forever, but for some reason it pops up an alert that says "The URL is not valid and cannot be loaded," when the form is submitted. It's an old script from PHPBuddy. Here is the script: // password_protect.php Code: [Select] <?php # Simple password protection # # (c) http://www.phpbuddy.com # Author: Ranjit Kumar # Feel free to use this script but keep this message intact! # # To protect a page include this file in your PHP pages! session_start(); $admin_user_name = "admin"; $admin_password = "admin"; //you can change the username and password by changing the above two strings if (!isset($HTTP_SESSION_VARS['user'])) { if(isset($HTTP_POST_VARS['u_name'])) $u_name = $HTTP_POST_VARS['u_name']; if(isset($HTTP_POST_VARS['u_password'])) $u_password = $HTTP_POST_VARS['u_password']; if(!isset($u_name)) { ?> <HTML> <HEAD> <TITLE><?php echo $HTTP_SERVER_VARS['HTTP_HOST']; ?> : Authentication Required</TITLE> </HEAD> <BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD> <font face=verdana size=2><B>(Access Restricted to Authorized Personnel)</b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center> <?php $form_to = "http://$HTTP_SERVER_VARS[HTTP_HOST]$HTTP_SERVER_VARS[PHP_SELF]"; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $form_to = $form_to ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; ?> <form method=post action=<?php echo $form_to; ?>> <table border=0 width=350> <TR> <TD><font face=verdana size=2><B>User Name</B></font></TD> <TD><font face=verdana size=2><input type=text name=u_name size=20></font></TD></TR> <TR> <TD><font face=verdana size=2><B>Password</B></font></TD> <TD><font face=verdana size=2><input type=password name=u_password size=20></font></TD> </TR> </table> <input type=submit value=Login></form> </center> </font> </BODY> </HTML> <?php exit; } else { function login_error($host,$php_self) { echo "<HTML><HEAD> <TITLE>$host : Administration</TITLE> </HEAD><BODY bgcolor=#ffffff> <table border=0 cellspacing=0 cellpadding=0 width=100%> <TR><TD align=left> <font face=verdana size=2><B> You Need to log on to access this part of the site! </b> </font></td> </tr></table> <P></P> <font face=verdana size=2> <center>"; echo "Error: You are not authorized to access this part of the site! <B><a href=$php_self>Click here</a></b> to login again.<P> </center> </font> </BODY> </HTML>"; session_unregister("adb_password"); session_unregister("user"); exit; } $user_checked_passed = false; if(isset($HTTP_SESSION_VARS['adb_password'])) { $adb_session_password = $HTTP_SESSION_VARS['adb_password']; if($admin_password != $adb_session_password) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); else { $user_checked_passed = true; } } if($user_checked_passed == false) { if(strlen($u_name)< 2) login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); if($admin_user_name != $u_name) //if username not correct login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); if(isset($admin_password)) { if($admin_password == $u_password) { session_register("adb_password"); session_register("user"); $adb_password = $admin_password; $user = $u_name; } else { //password in-correct login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); } } else { login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']); } $page_location = $HTTP_SERVER_VARS['PHP_SELF']; if(isset($HTTP_SERVER_VARS["QUERY_STRING"])) $page_location = $page_location ."?". $HTTP_SERVER_VARS["QUERY_STRING"]; header ("Location: ". $page_location); } } } ?> And here is the file I'm trying to protect: //index.php Code: [Select] <?php include('password_protect.php'); include("connection.php"); //Logout if($_REQUEST['action'] == "logout") { session_unset(); session_destroy(); header('Location:index.php'); } //Script Actions //Add Main Display if ($_REQUEST['action'] == "add_main_d") { //Upload Image $target_path = "main_display/"; $target_path = $target_path . basename( $_FILES['image']['name']); if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path)) { $msg1 = "<p>The image ". basename( $_FILES['image']['name']). " has been uploaded</p>"; } else { $msg1 = "<p>There was an error uploading the image, please try again!</p>"; } $image = $_FILES['image']['name']; //Add Info to Database $query = "INSERT INTO main_display (title,descrip,link,image) VALUES('$_REQUEST[title]','$_REQUEST[descrip]','$_REQUEST[link]','$image')"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "<p>" . $_REQUEST['title'] . " added to the main display.</p>"; } //Add Guest if ($_REQUEST['action'] == "add_guest") { //Upload Image $target_path = "guests/"; $target_path = $target_path . basename( $_FILES['image']['name']); if(move_uploaded_file($_FILES['image']['tmp_name'], $target_path)) { $msg1 = "<p>The image ". basename( $_FILES['image']['name']). " has been uploaded</p>"; } else { $msg1 = "<p>There was an error uploading the image, please try again!</p>"; } $image = $_FILES['image']['name']; //Add Info to Database $query = "INSERT INTO guest (name,ep,link,image) VALUES('$_REQUEST[name]','$_REQUEST[ep]','$_REQUEST[link]','$image')"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "<p>" . $_REQUEST['name'] . " was added to the guest list.</p>"; } //Delete Item if($_REQUEST['action'] == "delete_item"){ $query = "SELECT * FROM main_display WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $row = mysql_fetch_array($result,MYSQL_ASSOC); $image = $row['image']; unlink("main_display/$image"); //Delete news $query = "DELETE FROM main_display WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "Display Meny Item erased."; } //Delete Guest if($_REQUEST['action'] == "delete_guest"){ $query = "SELECT * FROM guest WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $row = mysql_fetch_array($result,MYSQL_ASSOC); $image = $row['image']; unlink("guests/$image"); //Delete news $query = "DELETE FROM guest WHERE id = '$_REQUEST[item]'"; $result = mysql_query($query) or die ("Can't do anything with the query!"); $msg = "Display Meny Item erased."; } ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="stylesheet" type="text/css" href="style.css" /> <title>Admin Window</title> <?php //Form Check - Javascript if($_REQUEST['view'] == "main_d") { include("add_main_d_check.php"); } if($_REQUEST['view'] == "guest_d") { include("add_guest_d_check.php"); } ?> </head> <body> <div id="wrapper"> <h1> Admin Window </h1> <div id="links"> <ul> <li><a href="index.php">Main</a></li> <li><a href="index.php?view=main_d">Main Display</a></li> <li><a href="index.php?view=guest_d">Guests</a></li> <li><a href=\"index.php?action=logout\">Logout</a></li> </ul> </div> <?php if (isset($msg1)) { echo $msg1 . "<br />"; } if (isset($msg)) { echo $msg; } //Page Controller switch($_REQUEST['view']) { case "main_d": include("main_d.php"); break; case "guest_d": include("guests.php"); break; default: if(!isset($_REQUEST['action'])){ echo "<p>Please select an action.</p>"; } break; } ?> </div> </body> </html> I will be grateful for any help on this. Thanks! Hello: I wanted to see if I can make my password protected pages in my admin area, and the login form "more secure." I was told I should use MD5 / SALTING / HASHING to do this. I have tried some online tutorials, but am not understanding it, so I wanted to start from what I have and build upon it> This is my database table storing the myAdmins data (when I initially insert it into the database): Code: [Select] CREATE TABLE `myAdmins` ( `id` int(4) NOT NULL auto_increment, `myUserName` varchar(65) NOT NULL default '', `myPassword` varchar(65) NOT NULL default '', PRIMARY KEY (`id`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=utf8; INSERT INTO myAdmins VALUES("1","abc","123"); This is the login form I use: Code: [Select] <?php include('../include/myConn.php'); include('include/myAdminNav.php'); session_start(); session_destroy(); $message=""; $Login=$_POST['Login']; if($Login){ $myUserName=$_POST['myUserName']; $myPassword=$_POST['myPassword']; $result=mysql_query("select * from myAdmins where myUserName='$myUserName' and myPassword='$myPassword'"); if(mysql_num_rows($result)!='0'){ session_register("myUserName"); header("location:a_Home.php"); exit; }else{ $message="<div class=\"myAdminLoginError\">Incorrect Username or Password</div>"; } } ?> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <? echo $message; ?> Username: <input name="myUserName" type="text" id="myUserName" size="40" /> Password: <input name="myPassword" type="password" id="myPassword" size="40" /> <input name="Login" type="submit" id="Login" value="Login" /> </form> This is the code on top of each page I password protect: Code: [Select] <? session_start(); if(!session_is_registered(myUserName)){ header("location:Login.php"); } ?> Works well, but can it be "better"?? And, if I am allowing the admin to update his/her username or password, I do it this way: Code: [Select] <?php include('../include/myConn.php'); include('include/myCheckLogin.php'); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $myUserName = mysql_real_escape_string($_POST['myUserName']); $myPassword = mysql_real_escape_string($_POST['myPassword']); $sql = " UPDATE myAdmins SET myUserName = '$myUserName', myPassword = '$myPassword' "; mysql_query($sql) && mysql_affected_rows() ?> <?php } $query=mysql_query("SELECT * FROM myAdmins") or die("Could not get data from db: ".mysql_error()); while($result=mysql_fetch_array($query)) { $myUserName=$result['myUserName']; $myPassword=$result['myPassword']; } ?> <form method="post" action="<?php echo $PHP_SELF;?>"> <input type="hidden" name="POSTBACK" value="EDIT"> Username: <input type="text" size="60" maxlength="60" name="myUserName" value="<?php echo $myUserName; ?>"> Password: <input type="password" size="60" maxlength="60" name="myPassword" value="<?php echo $myPassword; ?>"> <input type="submit" value="Submit" /> </form> Should it be "better" .. ?? I don't seem to understand how to "encrypt" all of this to make it "stronger" .. Ideas? Improvements? Hello everyone: I wanted to see how I can make a simple login page (user name and password) that redirects to a page(s) if the login is correct. Also, I wanted to put protection on the page(s) that will send the user back to the login page if the credentials are nor correct. I would imagine the username/password would be stored in a database table (Admins), and the correct login info would be stored in a session ..? I am use to doing this with ASP, but never PHP. I want to make sure I understand how to do this properly and securely so I can use this as a model for other systems. In ASP I would do a protected page like this: a_login_check.asp Code: [Select] <% if session("admin_user_name") = "" then session.abandon response.redirect "login.asp" end if %> Protected-Page.asp Code: [Select] <!-- #include file="include/a_check_login.asp" --> <html> ... CONTENT ... </html> And of course there is the login page itself ... (I thought it would be nice to add a "Forgot Password" link on the login page, but if that is too complicated I can do that later .. or is it easy ??) Anyway, can someone point-out to me how to do this. I would appreciate it! Hello PhP Freaks forum In the past weeks ive been trying to make a website, where you can register. Everything seems to work except my cherished Change password feature. Everytime you try to change the password, it just resets it to nothing. Here is the code below. <?php if(isset($_SESSION['username'])) { $username = $_SESSION['username']; $lastname = $_SESSION['lastname']; $firstname = $_SESSION['firstname']; $email = $_SESSION['email']; echo " <h4>Options for:</h4> $username <br /> <br /> First name: $firstname <br />Last name: $lastname <br /><br /><h3>Want to change your password:</h3><br /> <form action='?do=option' method='post'> Old password <input type='password' placeholder='Has to be between 5-15 digits' name='password' size='30' value='' /><br /> <br /> New Password<input type='password' placeholder='Has to be between 5-15 digits' name='newpass' size='30' value='' /><br /> <br /> Confirm new password <input type='password' placeholder='Has to be between 5-15 digits' name='passconf' size='30' value='' /><br /> <center></div><input type='submit' value='Submit'/></center></form>"; }else{ echo 'Please login to view your options!'; } $password = $_REQUEST['password']; $pass_conf = $_REQUEST['newpass']; $email = $_REQUEST['passconf']; $connect = mysql_connect("Host", "User", "Password"); if(!$connect){ die(mysql_error()); } //Selecting database $select_db = mysql_select_db("My Database", $connect); if(!$select_db){ die(mysql_error()); } //Find if entered data is correct $result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $row = mysql_fetch_array($result); $id = $row['id']; mysql_query("UPDATE users SET password='$newpass' WHERE username='$user'") ?> And i do know that i dont have a if(Empty($newpass)){ Die(Please fill out the new password) } Or any security on the others, but the problem just seems that it resets the password into nothing Hope i can get this fixed Best Regards William Pfaffe This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=353345.0 <?php
require_once('upper.php'); require_once('database.php'); echo $error_msg=''; if(isset($_POST['submit'])) { $LoginId=mysqli_real_escape_string($dbc,trim($_POST['LoginId'])); $Password1=mysqli_real_escape_string($dbc,trim($_POST['Password1'])); $Password2=mysqli_real_escape_string($dbc,trim($_POST['Password2'])); $Name=mysqli_real_escape_string($dbc,trim($_POST['Name'])); $Age=mysqli_real_escape_string($dbc,trim($_POST['Age'])); $BloodGroup=mysqli_real_escape_string($dbc,trim($_POST['BloodGroup'])); if(!isset($_POST['Sex'])) { echo 'Please enter Sex<br>'; } else{ $Sex= mysqli_real_escape_string($dbc,trim($_POST['Sex'])); } $Qualification=mysqli_real_escape_string($dbc,trim($_POST['Qualification'])); $ContactNumber=mysqli_real_escape_string($dbc,trim($_POST['ContactNumber'])); $Email=mysqli_real_escape_string($dbc,trim($_POST['Email'])); $Address=mysqli_real_escape_string($dbc,trim($_POST['Address'])); $AboutYourself=mysqli_real_escape_string($dbc,trim($_POST['AboutYourself'])); //$countCheck=count($_POST['checkbox']); //echo $countCheck; //$checkbox=$_POST['checkbox']; //$countCheck=count($checkbox); if(empty($LoginId)){echo 'Please enter Login Id';} elseif(empty($Password1)){echo 'Please enter Password';} elseif(empty($Password2)){echo 'Please confirm Password';} elseif($Password1!==$Password2){echo 'Password didn\'t match';} elseif(empty($Name)){echo 'Please enter Name';} elseif(empty($Age)){echo 'Please enter Age';} elseif(!isset($_POST['Sex'])){} elseif(empty($Qualification)){echo 'Please enter Qualification';} elseif(empty($ContactNumber)){echo 'Please enter Contact Number';} elseif(empty($Email)){echo 'Please enter Email';} elseif(empty($Address)){echo 'Please enter Address';} elseif(empty($AboutYourself)){echo 'Please enter About Yourself';} elseif(!isset($_POST['checkbox'])){ echo 'You have to register at least one activity.';} elseif(!isset($_POST['TermsAndConditions'])){ echo 'You have to agree all Terms and Conditions of Elite Brigade.';} else { require_once('database.php'); $query="select * from registration where LoginId='$LoginId'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0) { $checkbox=$_POST['checkbox']; $countCheck=count($_POST['checkbox']); $reg_id=' '; for($i=0;$i<$countCheck;$i++) { $reg_id=$reg_id.$checkbox[$i].','; $query="insert into activity_participation (LoginId,Title,Date) values ('$LoginId','$checkbox[$i]',CURDATE())"; $result=mysqli_query($dbc,$query) or die("Not Connected"); } $query="insert into registration (LoginId,Password,Name,Age,BloodGroup,Sex,Qualification,ContactNumber,Email,Address,AboutYourself,Activity)values ('$LoginId'[B],SHA('$Password1'),[/B]'$Name','$Age','$BloodGroup','$Sex','$Qualification','$ContactNumber','$Email','$Address','$AboutYourself',',$reg_id')"; $result=mysqli_query($dbc,$query) or die("Not Connect"); echo ' Dear '.$Name.'.<br>Your request has been mailed to admin.<br>Your account is waiting for approval<br>'; $from= 'Elite Brigade'; $to='ankitp@rsquareonline.com'; $subject='New User Registration'; $message="Dear admin,\n\nA new user request for registration. Please check it out.\n\nRegards\nMicro"; mail($to,$subject,$message,'From:'.$from); //header('Location: index.php'); // header('Location: Registration.php'); } else { echo 'Dear '.$Name. ', <br> An account already exist with login-id<b> '.$LoginId.'</b> <br>Please try another login-id'; }} } ?> <html> <head> <script src="jquery-latest.js"></script> <script type="text/javascript" src="jquery-validate.js"></script> <style type="text/css"> * { font-family: Verdana; } label.error { color: white; padding-left: .5em; } p { clear: both; } .submit { margin-left: 12em; } em { font-weight: bold; padding-right: 1em; vertical-align: top; } </style> <script> $(document).ready(function(){ $("#commentForm").validate(); }); </script> </head> <body> <?php echo $error_msg; ?> <form action='<?php echo $_SERVER['PHP_SELF'];?>' id="commentForm" method='post'> <div class="registration_and_activity"> <table border="0" width="380"> <tr><td colspan="2"> <h3>New User?</h3></td></tr> <tr><td width="120"> <em>*</em>Enter Login id</td><td width="150"><input type='text' name='LoginId' minlength="4" value='<?php if(!empty($LoginId))echo $LoginId;?>' /></td></tr> <tr><td> <em>*</em>Enter Password</td> <td><head> <div id="divMayus" style="visibility:hidden">Caps Lock is on.</div> <SCRIPT language=Javascript> function capLock(e){ kc = e.keyCode?e.keyCode:e.which; sk = e.shiftKey?e.shiftKey:((kc == 16)?true:false); if(((kc >= 65 && kc <= 90) && !sk)||((kc >= 97 && kc <= 122) && sk)) document.getElementById('divMayus').style.visibility = 'visible'; else document.getElementById('divMayus').style.visibility = 'hidden'; } </SCRIPT> </HEAD> <input onkeypress='return capLock(event)' type='password' name='Password1' value='<?php if(!empty($Password1))echo $Password1;?>' /></td></tr> <tr><td> <em>*</em>Confirm Password</td><td><input type='password' name='Password2' value='<?php if(!empty($Password2))echo $Password2;?>' /></td></tr> <tr><td width="120"> <em>*</em>Enter Name</td> <td><input type='text' name='Name' value='<?php if(!empty($Name))echo $Name;?>' /></td></tr> <tr><td> <em>*</em>Enter Age</td><HEAD> <SCRIPT language=Javascript> function isNumberKey(evt) { var charCode = (evt.which) ? evt.which : event.keyCode if (charCode > 31 && (charCode < 48 || charCode > 57)) return false; return true; } </SCRIPT> </HEAD> <td><INPUT onkeypress='return isNumberKey(event)' type='text' name='Age' value='<?php if(!empty($Age))echo $Age;?>'/></td></tr> <tr><td> <em>*</em>Enter Blood</td><td><input type='text' name='BloodGroup' value='<?php if(!empty($BloodGroup))echo $BloodGroup;?>' /></td></tr> <tr><td> <em>*</em>Enter Sex</td><td><input type='radio' name='Sex' style='width:16px; border:0;' 'value='Male' />Male <input type='radio' name='Sex' style='width:16px; border:0;' 'value='Female' />Female</td></tr> <tr><td> <em>*</em>Enter Qualification</td><td><input type='text' name='Qualification' value='<?php if(!empty($Qualification))echo $Qualification;?>' /></td></tr> <tr><td> <em>*</em>Contact Number </td><td><input onkeypress='return isNumberKey(event)'type='text' name='ContactNumber' value='<?php if(!empty($ContactNumber))echo $ContactNumber;?>' /></td></tr> <tr><td> <em>*</em>Enter Email</td><td><input type='text' name='Email'class="email" value='<?php if(!empty($Email))echo $Email;?>' /></td></tr> <tr><td> <em>*</em>Enter Address</td><td><input type='text' name='Address' value='<?php if(!empty($Address))echo $Address;?>' /></td></tr> <tr ><td > <em>*</em>About Yourself </td></tr> <tr><td colspan="2"><textarea rows='10' cols='40' name='AboutYourself' /><?php if(!empty($Address))echo $Address;?></textarea></td></tr> <tr><td> <?php echo" <tr><td colspan='2'><em>*</em><b>Select fields for which you want to register</b></td></tr>"; require_once('database.php'); $query="select * from activity"; $result=mysqli_query($dbc,$query); while($row=mysqli_fetch_array($result)){ $Title=$row['Title']; $ActivityId=$row['ActivityId']; echo "<tr><td>$Title</td>"; echo "<td><input type='checkbox' name='checkbox[]' value='$Title' style='width:14px; text-align:right;'/></td></tr>";//value=$ActivityId tells ActivityId variable extracts with name="checkbox" echo "<br/>"; } echo "<td><em>*</em><input type='checkbox' name='TermsAndConditions' style='width:14px; text-align:right;'/></td><td> I agree all <a href='TermsAndConditions.php'>Terms and conditions </a>of Elite Brigade</td></tr>"; echo "<tr><td colspan='2' align='center'><input type='submit' value='Register' name='submit' style='background:url(./images/button_img2.png) no-repeat 10px 0px; width:100px; padding:3px 0 10px 0; color:#FEFBC4; border:0;'/></td></tr><br>"; echo " </td></tr></table> </div> </form> </body> </html>"; require_once('lower.php'); ?> Hi Friends .... I encrypt user password by SHA('$Password') method but now i want to add "Forget Password Module" for which I need to decrypt it first before tell my user but I don't Know how to decrypt it. Please help me........ So I thought I was secure until I was debugging. I thought I'd give it a try to manually run queries though the url, and I'm able to execute them. When you go to my downloads module, you can click on a category to view results from said category. You can also modify the query executed to perform extra tasks to grab different results, here's an example: http://zextcms.com/index.php?component=downloads&cat=0%27%20OR%20download_parent%20=%20%271 This shouldn't even be capable of happening. I have a script that recursively checks all post and get data and removes all special characters with htmlspecialchars(). I also have a class that handles all my queries, new data and update data is already sanitized with mysqli_escape_string() so that leaves me to finish securing $_GET variables. I just double checked to see if I may have taken out htmlspecialchars for testing purposes and it is still in effect. My code checks if get or post data is an array, if it is not it uses htmlspecialchars() on the key and value of the array and returns the cleansed version. If there is an array, the function calls upon itself until it's done cleaning all dimensions of the array, so what am I forgetting? I am coding a login form. If the user forgets his password, he will click on a link where he will have to insert his email address, then, he will get a confirmation link in his inbox. After that, he willl click on the link, to redirect him to a page to create a new password. The page link to create a new password (the confirmation link) is actually like this: http://xxxxx.forgetpassword.php I want that when it will appear in the user's inbox, it should be like this: http://xxxxx.f135kkgg3f6f2f2.php Well, you know what I mean, perhaps most of us have got this kind of URL when we forget a password. It is like encrypted or hashed something like that. So, how can I do it like this? In my javascript code i use ajax so i load a php file .. then on the success i have a function where i load a file there.. the thing is how can i secure it from direct access from the browser? if i type the link of the file in the browser i can access it even tho it needs other files to run so it will return me errors.. how can i disable that? Thanks. EDIT: i have tried to put if(!defined("MAIN")){ die('<tt>You cannot view this file directly!</tt>'); } on the file i want to protect but then when i call the ajax on the success the file doesnt load on the page that i call it and shows the above die(); Hi, I have a MySQL database with BLOB data (MS Word files, Excel, PowerPoint, PDF etc.). I have a show_file function that assembles the blobs to send the file to the browser. It's been working great for a decade. Now, I am looking to filter the data against XSS vulnerabilities, much like I do with strings using htmlentities(). How do you go about doing that with BLOB data? I'm assuming htmlentities() will strip out characters from the BLOB data that will render the file unusable, correct? Here is my function: function show_file( $fileID ) { $nodeList = array(); $fileInfo = get_record( 'FileList', 'fileID', $fileID ) or trigger_error( 'Not a valid file ID: ' . $fileID ); // Pull list of inodes $nodes = get_recordset( 'FileData', 'fileID', $fileID, 'blobID' ); if ( !$nodes ) { trigger_error( 'Failure to retrieve file inodes: ' . mysql_error() ); } while ( $node = mysql_fetch_array( $nodes ) ) { $nodeList[] = $node['blobID']; } // Send down the header to the client if ( strpos( $_SERVER['HTTP_USER_AGENT'], 'MSIE' ) ) { header( 'Cache-Control: public' ); } header( 'Content-Type: ' . $fileInfo['fileType'] ); header( 'Content-Length: ' . $fileInfo['fileSize'] ); header( 'Content-Disposition: attachment; filename=' . $fileInfo['fileName'] ); // Loop thru and stream the nodes 1 by 1 for ( $z = 0; $z < count( $nodeList ); $z++ ) { $query = 'SELECT fileData FROM FileData WHERE blobID = ' . $nodeList[$z]; if ( $result = mysql_query( $query ) ) { echo mysql_result( $result, 0 ); } else { trigger_error( 'Failure to retrieve file node data: ' . mysql_error() ); } } } So, I am looking to do something like echo mysql_result( htmlentities($result), 0 ); Thanks for any help you may provide, George. hi phpfreaks, How do I protect the php file that holds the my applications database details any tips would be great Hi. I am working on a website that sells online subscriptions to premium content. On the low end this includes articles, and on the high end guides and books. In the back of my mind I had always planned on putting this content into MySQL for safe keeping, but in the last day or so it has occurred to me that putting an entire book into MySQL could be cumbersome at best?! Which leads to this question... Can you easily protect a PHP page from unauthorized users and outsiders? My original desire to put things in MySQL was driven much more by security than any of the more obvious reasons you'd use a database. I will be putting articles into MySQL, but the more I think about it, trying to put a 500 or 1,000 page book into MySQL could be difficult at best. For articles, I simple have a PHP page that loads up the article from MySQL and first checks that the logged in user has the proper access rights - meaning they are a paid subscriber - before allowing the article to load. I could do that with a guide or book, but the question becomes, "How do you put even 500 pages into a database table and easily access it?" What do you think?
Hi guys, I need your help with my php script. On my script, I'm currently working with image where I can hot-link them from another website while it is on protected. when you click right-mouse button on firefox, you could see something like "view page source" which is disabled. when you click on "save page as", you can save the image as "image.php". when you open them, you would not be able to read due to the image but you can find the real image link in image.php where i want to protect them. here's the currently code: Code: [Select] <?php session_start(); define('DB_HOST', 'localhost'); define('DB_USER', 'myusername'); define('DB_PASSWORD', 'mypassword'); define('DB_DATABASE', 'mydbname'); $id = (int)$_GET['id']; $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($var) { return mysql_real_escape_string(strip_tags($var)); } $qrytable1="SELECT images FROM image_list WHERE id=$id"; $result1=mysql_query($qrytable1) or die('Error:<br />' . $qry . '<br />' . mysql_error()); while ($row = mysql_fetch_array($result1)) { $image = $row['images']; $details = getimagesize($image); header ('Content-Type: ' . image_type_to_mime_type($details[2])); echo readfile($image), "<p id='images'>", $row['images'] . "</p>"; } ?> I guess that there must be a way to protected the url in the php script where i can hide them. It should be easy to modify but I am not sure what line I need to adjust to make it protected. Can you please help me in what line I need to modify in order to protected the hot-linking in my php? |
|||||||