PHP - Can You Protect A Php Page From Others?
Hi. I am working on a website that sells online subscriptions to premium content. On the low end this includes articles, and on the high end guides and books. In the back of my mind I had always planned on putting this content into MySQL for safe keeping, but in the last day or so it has occurred to me that putting an entire book into MySQL could be cumbersome at best?! Which leads to this question... Can you easily protect a PHP page from unauthorized users and outsiders? My original desire to put things in MySQL was driven much more by security than any of the more obvious reasons you'd use a database. I will be putting articles into MySQL, but the more I think about it, trying to put a 500 or 1,000 page book into MySQL could be difficult at best. For articles, I simple have a PHP page that loads up the article from MySQL and first checks that the logged in user has the proper access rights - meaning they are a paid subscriber - before allowing the article to load. I could do that with a guide or book, but the question becomes, "How do you put even 500 pages into a database table and easily access it?" What do you think?
Similar TutorialsSo I thought I was secure until I was debugging. I thought I'd give it a try to manually run queries though the url, and I'm able to execute them. When you go to my downloads module, you can click on a category to view results from said category. You can also modify the query executed to perform extra tasks to grab different results, here's an example: http://zextcms.com/index.php?component=downloads&cat=0%27%20OR%20download_parent%20=%20%271 This shouldn't even be capable of happening. I have a script that recursively checks all post and get data and removes all special characters with htmlspecialchars(). I also have a class that handles all my queries, new data and update data is already sanitized with mysqli_escape_string() so that leaves me to finish securing $_GET variables. I just double checked to see if I may have taken out htmlspecialchars for testing purposes and it is still in effect. My code checks if get or post data is an array, if it is not it uses htmlspecialchars() on the key and value of the array and returns the cleansed version. If there is an array, the function calls upon itself until it's done cleaning all dimensions of the array, so what am I forgetting? I am coding a login form. If the user forgets his password, he will click on a link where he will have to insert his email address, then, he will get a confirmation link in his inbox. After that, he willl click on the link, to redirect him to a page to create a new password. The page link to create a new password (the confirmation link) is actually like this: http://xxxxx.forgetpassword.php I want that when it will appear in the user's inbox, it should be like this: http://xxxxx.f135kkgg3f6f2f2.php Well, you know what I mean, perhaps most of us have got this kind of URL when we forget a password. It is like encrypted or hashed something like that. So, how can I do it like this? In my javascript code i use ajax so i load a php file .. then on the success i have a function where i load a file there.. the thing is how can i secure it from direct access from the browser? if i type the link of the file in the browser i can access it even tho it needs other files to run so it will return me errors.. how can i disable that? Thanks. EDIT: i have tried to put if(!defined("MAIN")){ die('<tt>You cannot view this file directly!</tt>'); } on the file i want to protect but then when i call the ajax on the success the file doesnt load on the page that i call it and shows the above die(); Hi, I have a MySQL database with BLOB data (MS Word files, Excel, PowerPoint, PDF etc.). I have a show_file function that assembles the blobs to send the file to the browser. It's been working great for a decade. Now, I am looking to filter the data against XSS vulnerabilities, much like I do with strings using htmlentities(). How do you go about doing that with BLOB data? I'm assuming htmlentities() will strip out characters from the BLOB data that will render the file unusable, correct? Here is my function: function show_file( $fileID ) { $nodeList = array(); $fileInfo = get_record( 'FileList', 'fileID', $fileID ) or trigger_error( 'Not a valid file ID: ' . $fileID ); // Pull list of inodes $nodes = get_recordset( 'FileData', 'fileID', $fileID, 'blobID' ); if ( !$nodes ) { trigger_error( 'Failure to retrieve file inodes: ' . mysql_error() ); } while ( $node = mysql_fetch_array( $nodes ) ) { $nodeList[] = $node['blobID']; } // Send down the header to the client if ( strpos( $_SERVER['HTTP_USER_AGENT'], 'MSIE' ) ) { header( 'Cache-Control: public' ); } header( 'Content-Type: ' . $fileInfo['fileType'] ); header( 'Content-Length: ' . $fileInfo['fileSize'] ); header( 'Content-Disposition: attachment; filename=' . $fileInfo['fileName'] ); // Loop thru and stream the nodes 1 by 1 for ( $z = 0; $z < count( $nodeList ); $z++ ) { $query = 'SELECT fileData FROM FileData WHERE blobID = ' . $nodeList[$z]; if ( $result = mysql_query( $query ) ) { echo mysql_result( $result, 0 ); } else { trigger_error( 'Failure to retrieve file node data: ' . mysql_error() ); } } } So, I am looking to do something like echo mysql_result( htmlentities($result), 0 ); Thanks for any help you may provide, George. hi phpfreaks, How do I protect the php file that holds the my applications database details any tips would be great Hey, nooby here I am looking for a PHP solution for password protect pages. I have successfully implemented this code which check a user name and password to grant access. The problem is that each user needs a different (password protected) page. What I would like to do is take it a step further and have each user directed to a specific page. visitor1 => www.mysite.com/visitor1.com visitor2 => www.mysite.com/visitor2.com Since I am not going to have anymore than three users I don't want the complication of a database and keep everything PHP. Any idea please? Cheers, This is the login page: <?php $LOGIN_INFORMATION = array( 'visitor1' => 'password1', 'visitor2' => 'password2' ); define('USE_USERNAME', true); define('LOGOUT_URL', 'http://www.mysite.com/logout.php'); define('TIMEOUT_MINUTES', 0); define('TIMEOUT_CHECK_ACTIVITY', true); if(isset($_GET['help'])) { die('Include following code into every page you would like to protect, at the very beginning (first line):<br><?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?>'); } $timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60); if(isset($_GET['logout'])) { setcookie("verify", '', $timeout, '/'); // clear password; header('Location: ' . LOGOUT_URL); exit(); } if(!function_exists('showLoginPasswordProtect')) { function showLoginPasswordProtect($error_msg) { ?> <!DOCTYPE HTML> <html> <head> </head> <body class="loading"> <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center"> <form method="post"> <p>Please enter password</p><br /> <font color="red"><?php echo $error_msg; ?></font><br /> <?php if (USE_USERNAME) echo 'Login:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?> <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Submit" /> </form> </div> </body> </html> <?php die(); } } if (isset($_POST['access_password'])) { $login = isset($_POST['access_login']) ? $_POST['access_login'] : ''; $pass = $_POST['access_password']; if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION) || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) ) { showLoginPasswordProtect("Incorrect password."); } else { setcookie("verify", md5($login.'%'.$pass), $timeout, '/'); unset($_POST['access_login']); unset($_POST['access_password']); unset($_POST['Submit']); } } else { if (!isset($_COOKIE['verify'])) { showLoginPasswordProtect(""); } $found = false; foreach($LOGIN_INFORMATION as $key=>$val) { $lp = (USE_USERNAME ? $key : '') .'%'.$val; if ($_COOKIE['verify'] == md5($lp)) { $found = true; // prolong timeout if (TIMEOUT_CHECK_ACTIVITY) { setcookie("verify", md5($lp), $timeout, '/'); } break; } } if (!$found) { showLoginPasswordProtect(""); } } ?>And here is the code I used at the top of each protected page: <?php include("/home/user/public_html/clients/login.php"); ?>[/code] Hi guys, I need your help with my php script. On my script, I'm currently working with image where I can hot-link them from another website while it is on protected. when you click right-mouse button on firefox, you could see something like "view page source" which is disabled. when you click on "save page as", you can save the image as "image.php". when you open them, you would not be able to read due to the image but you can find the real image link in image.php where i want to protect them. here's the currently code: Code: [Select] <?php session_start(); define('DB_HOST', 'localhost'); define('DB_USER', 'myusername'); define('DB_PASSWORD', 'mypassword'); define('DB_DATABASE', 'mydbname'); $id = (int)$_GET['id']; $errmsg_arr = array(); $errflag = false; $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } function clean($var) { return mysql_real_escape_string(strip_tags($var)); } $qrytable1="SELECT images FROM image_list WHERE id=$id"; $result1=mysql_query($qrytable1) or die('Error:<br />' . $qry . '<br />' . mysql_error()); while ($row = mysql_fetch_array($result1)) { $image = $row['images']; $details = getimagesize($image); header ('Content-Type: ' . image_type_to_mime_type($details[2])); echo readfile($image), "<p id='images'>", $row['images'] . "</p>"; } ?> I guess that there must be a way to protected the url in the php script where i can hide them. It should be easy to modify but I am not sure what line I need to adjust to make it protected. Can you please help me in what line I need to modify in order to protected the hot-linking in my php? Does any one have a better idea to protect PHP files so that you can distribute a 'release' without the customer being able to read the source files. There are tools on the internet which costs money, BUT your are dependant on their software and if its not open source, its not trustworthy. What I've done so far is writing an ISAPI DLL in borland cpp and installed it under iis6. Basically you call this isappi dll and it decrypts the encrypted php files and executes them respectively. It is thread safe (as is php). There are other methods available on the net that you use to encrypt your pages, BUT the decryption algorithm is found in your main php file and duh, if you can read the main file, you can easily decrypt all other files, so that is a bad idea. Any other ideas? Possibly to write a PHP extension perhaps but I have not been able to get that working on borland cpp. Hi everybody, I'd like to protect a rtsp stream coming from a videoserver using a php page. Is this possible? The rtsp stream is a live h.264 stream with it's own local ip address. Currently i can access the stream by entering rtsp://192.168.1.3 in the browser and quicktime starts up. I have apache running on a different machine (192.168.1.2), which I want to use to pass on the stream. I'd like the rtsp stream to be accessed by entering rtsp://192.168.1.2/?password=changes-a-lot I've been using headers and readfile a lot to protect files. But the live stream seems to work differently. I've seen a lot of posts on how to access media using rtsp, but none of these work with a live stream. Does anybody have any ideas on how to get this to work? hi all i have a code that i am trying to password to protect my webpage and i cant seen to get it to coonect to mysql DB. here is the code $c_username = "root"; $c_password = "Steph1989"; $c_host = "localhost"; $c_database = "eclipse_media"; // Connect. $connection = mysql_connect($c_host, $c_username, $c_password) or die ("It seems this site's database isn't responding."); mysql_select_db($c_database) or die ("It seems this site's database isn't responding."); Hi, I have the code below: <? /* * search.php * * Script for searching a datbase populated with keywords by the * populate.php-script. */ print "<html><head><title>[Squashy] Search! NOT MESSED UP.</title></head><body>\n"; if( $_POST['keyword'] ) { /* Connect to the database: */ mysql_pconnect("www.freesqldatabase.com","sql01_44052","censored") or die("ERROR: Could not connect to database!"); mysql_select_db("sql01_4405hahamo1"); /* Get timestamp before executing the query: */ $start_time = getmicrotime(); /* Execute the query that performs the actual search in the DB: */ $query = ' SELECT p.page_url AS url, COUNT(*) AS occurrences FROM page p, word w, occurrence o WHERE p.page_id = o.page_id AND w.word_id = o.word_id AND (false '; $words = explode(' ', $_POST['keyword']); foreach ($words as $word) { $query .= 'OR w.word_word = "' . $word . '" '; } $query .= ') GROUP BY p.page_id ORDER BY occurrences DESC LIMIT ' . $_POST['results']; $result = mysql_query($query); /* Get timestamp when the query is finished: */ $end_time = getmicrotime(); /* Present the search-results: */ print "<h2>[Squashy] Search Results For '".$_POST['keyword']."':</h2>\n"; for( $i = 1; $row = mysql_fetch_array($result) or die(mysql_error()); $i++ ) { print "$i. <a href='".$row['url']."'>".$row['url']."</a>\n"; print "(occurrences: ".$row['occurrences'].")<br><br>\n"; } /* Present how long it took the execute the query: */ print "This search took: ".(substr($end_time-$start_time,0,5))." seconds."; } else { /* If no keyword is defined, present the search-page instead: */ print "<form method='post'>[Squashy Search] <input type='text' size='20' name='keyword'>\n"; print "Results: <select name='results'><option value='5'>5</option>\n"; print "<option value='10'>10</option><option value='15'>15</option>\n"; print "<option value='20'>20</option></select>\n"; print "<input type='submit' value='Search [Squashy]'></form>\n"; } print "</body></html>\n"; /* Simple function for retrieving the currenct timestamp in microseconds: */ function getmicrotime() { list($usec, $sec) = explode(" ",microtime()); return ((float)$usec + (float)$sec); } ?> How do I: a) Center the search box and title and add an image above it like in google, the code for the search box and title is (taken from the code above) { /* If no keyword is defined, present the search-page instead: */ print "<form method='post'>[Squashy Search] <input type='text' size='20' name='keyword'>\n"; print "Results: <select name='results'><option value='5'>5</option>\n"; print "<option value='10'>10</option><option value='15'>15</option>\n"; print "<option value='20'>20</option></select>\n"; print "<input type='submit' value='Search [Squashy]'></form>\n"; } b) How do I protect the code so that people can't see the database name and password? Thanks, Will I'm not sure if this is a php or Apache question but here goes anyways. I have my Apache web server set up so I can access it from anywhere which obviously means anyone else can access it too. I have my index page which is basically a menu for the site password protected with a simple php script. The problem is the index.php password page can be bypassed by just typing the name or path of any of the pages on the site. I don't want to have to password protect or enter a session variable onto every page. Is there a practical way to make it where no page can be accessed without being routed from the index.php page ? Hello, I just joined today! I am very new to php, I'm sure you'll be able to tell I created a 'members area only' thanks to some awesome online tutorials!! The only part that isn't working is the page protection for the 'members only area'. I am using $_SESSION and ISSET, but wonder why page shows when the address to the protected page is typed directly in, (no session should exist) if I understand correctly ... Any help will be wonderful, I really can't do this on my own yet. I have tried many different combinations, I may have them all mixed together by now. Currently, I have this code to the top of the page I am trying to protect ... <? ob_start(); session_start(); //The users login details should be stored either in the post array or session array so we pull those login credentials $username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username']; $password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password']; //if no username session variable exists, redirect user: if(!isset($username)) { header("Location: login_form.php"); } ?> <html> <head> </head> <body> <p> This is the members only area</p> </body> </html> Obviously when connecting to php Im not going to show all of my login details; mysql_connect("details","details","password") or die(mysql_error()); mysql_select_db("details") or die(mysql_error()); whats the best way to hide them? Ive seen some people using an include file with their login details on but say for eg. <?php include('con.php'); ?> Whats to stop somone looking at www.myweb/con.php and obtaining my details there instead? Using base64_encode to encode the name of a major function on your code and them shift the values to reach non printable chars. This way, when a newbie tries to temper your code, opening it on a editor, it will fail to run when saved! What do you think? Hi, I have the following code: Code: [Select] <?php $cmd = $_GET['cmd']; if($cmd=="") { $cmd = "adminlogin";} // This creates the header for each of the installation pages switch($cmd) { // This is the installation agreement page case "adminlogin": print <<<LOGIN <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Member Site Maker 1.0</title> <link rel="stylesheet" href="style.css" type="text/css" /> </head> <body> <div id="head" align="center"> <h1 id="siteName">Member Site Maker </h1> <br /> <table align="center" border="0" bgcolor="#CCCCCC"> <tr> <td align="center"><span class=style1><b>ADMIN LOGIN</b></span></td> </tr> <tr> <td> <form action=admin.php?cmd=manage method=POST> Password: <input type=text name=password1> </td> </tr> <tr> <td> <input type=submit name=submit value=Submit> </td> </tr> </table> </form> LOGIN; break; // Managing Users case "manage": include_once("header.html"); include_once("data/password.php"); $password1 = $_POST['password1']; $password2 = base64_decode($password); if ($password1 != $password2) { print <<<BADLOGIN <table width=953 border=1 align=center bgcolor=#00CCFF> <tr> <td><span class=style1><b><center>Failed Login</center></b></span></td> </tr> <tr> <td><span class=style2>Your passwords do not match. Please go back and correct this error</td> </tr> </table> BADLOGIN; } else { echo <<<MANAGE <!--end navBar2 div --> <div id="navBar2"> <div id="sectionLinks"> <ul> <li><a href="admin.php?cmd=manage&password1=$password1">Manage</a></li> <li><a href="admin.php?cmd=dashboard&password1=$password1">Dashboard</a></li> <li><a href="admin.php?cmd=approval&password1=$password1">Approval</a></li> <li><a href="admin.php?cmd=msgcentre&password1=$password1">Message Center</a></li> <li><a href="admin.php?cmd=logins&password1=$password1">Logins</a></li> </ul> </div> </div> <!--end navBar2 div --> <div id="content"> <div class="story"> <table width="100%" border="0"> <tr> <td bgcolor="#99FF66"><div align="center"><span class="style3">Login</span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Name</span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Last Visited </span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Registration Date </span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Reset Password </span></div></td> <td bgcolor="#99FF66"><div align="center"><span class="style3">Delete</span></div></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> <td> </td> </tr> </table> <h3> </h3> </div> </div> <!--end content --> MANAGE; } break; case "dashboard": break; case "approval": break; This works fine for when viewing the admin.php, I am asked for a password and then it compares the password against the encoded password before displaying the manage page. However this does not stop someone typing http://www.mysite.com/folder/admin.php?cmd=dashboard If they do that, it skips the password form and password check, and they can then go ahead and do whatever in the admin.php file. How can I prevent this, so that a password check is automatically done before allowing somebody to view the page? I have tried adding the code I used in the manage section, but it doesnt work again. Any help will be greatly appreciated, I been trying to work it out all day and run out of ideas. Many Thanks Hello All, I am in desperate help here since my site was DDoS attacked by some one in turkey (Ips originate mostly from turkey, Germany, and some other Europe countries). I have installed the ddos deflation and most of the IPs are now blocked. I have a php file in my server that I use to input data into my database and my streaming servers. This file is called connect.php and the hacker is basically created an automated script that repeatedly call the connect.php file from a botnet resulting in both apache and mysql dead. I use connect.php in the following way http.open('get', "ajax/createchannel_1.php?channel=" + channelname + "&sitename=" + sitename + "&privateurl=" + privateurl + "&privateurlcheck=" + privateurlcheck); How can i change the connect.php so that it only accept execution from my server/ Please your help is greatly appreciated. I have a problem w/ a widely used password protect php code. I use a business directory program that allows custom input fields. I'm using this code to password protect a business listing page in my directory code. I created custom fields for the username & password so a listing can enter their own user/pass but when I test it it won't work when I'm calling/echoing the fields. When I hardcode it w/ a user/pass it works. Any ideas on how I should recode this?: Quote <?php // Define your username and password $username = "<?php echo $custom_74; ?>"; $password = "<?php echo $custom_16; ?>"; if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) { ?> <h1>Login</h1> <form name="form" method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>"> <p><label for="txtUsername">Username:</label> <br /><input type="text" title="Enter your Username" name="txtUsername" /></p> <p><label for="txtpassword">Password:</label> <br /><input type="password" title="Enter your password" name="txtPassword" /></p> <p><input type="submit" name="Submit" value="Login" /></p> </form> <?php } else { ?> I close the code correctly. <?php echo $custom_74; ?> & <?php echo $custom_16; ?> are just incidently my custom field echo codes. I have over 150 custom fields working fine for user/listee options. The password protect code won't accept echos it seems as coded above. Thanks, Gene This topic has been moved to Apache HTTP Server. http://www.phpfreaks.com/forums/index.php?topic=358740.0 |