19 replies to this topic

[websaint]

If you need to password protect a page on your site, then you should take a look at this. I'll show you how to make a simple password protection for your site right here!! Just copy and paste the php script below:

Put this in a file you call login.html

<form action="[color=orange]login.php[/color]" method="post">
<input type="text" name="login">
<input type="password" name="passwd">
<input type="Submit">
</form>

[b]Put this in a file you call [color=orange]login.php[/color][/b] (you'll have to embed the content of your secret page with this script)

<?
if (empty($_POST['login']))
{
	exit();
}

if(strcmp($_POST['login'],"[color=orange]correct username here[/color]")==0 && strcmp($_POST['passwd'],"[color=orange]correct password here[/color]")==0)
{
?>

[color=orange]<html>
<body>

<p>Bla..bla..bla...You're secret page content should be added here!!</p>

</body>
</html>[/color]
<?
}
else
{
echo "[color=orange]Wrong username or password[/color]";
}
?>

That's all you have to do and you have a password protected page!!

[bx93]

I just begin to learn PHP, and very happy to find that it's so similar as C. To save the time, I skiped most of PHP desription. However, now I have something not very sure:
1. How could I keep some pages can be called in the html or php, but could not be viewed from the website? Your method described here may have solved this obstacle already, would you describe it a little more.
2. How could php load the client files to the server?
3. May I display some image(jpg or gif) with php?

I'm anxious to get the help from you, thank you in advance.

[KyoNiwa]

I have a question... Is that password protection foolproof or not easily bypassed? I guess what I'm trying to ask is that is it of the same protection quality of say... the asta host password protection or an email password protection?

[marijnnn]

well, it's safe. as the username is stored in a php variable, it will not be visible to all users.
but if you're on a school network, they can intercept the traffic and your password can be read, not encrypted or anything. but maybe that's a little paranoia. if you want your password to be unreadable in the traffic, i can give you a script that does so. it encrypts your password before it is sent and then it is compared with the stored (also encrypted) version of your pw. it cannot be decrypted!

[k22]

well, it's safe. as the username is stored in a php variable, it will not be visible to all users.
but if you're on a school network, they can intercept the traffic and your password can be read, not encrypted or anything. but maybe that's a  little paranoia. if you want your password to be unreadable in the traffic, i can give you a script that does so. it encrypts your password before it is sent and then it is compared with the stored (also encrypted) version of your pw. it cannot be decrypted!

<{POST_SNAPBACK}>

Are You speak about MD5 Hashing?if not, i'm interested, how do you make it?

[bx93]

I agree with marijnnn, I have tried to write something in my php file which store message to mysql database. It works and the operations in php file will not be viewed via web link. However, to be safe, we need not only the operation, but also must consider the transfer (which marijnnn has already talked about), one more issue we should consider is: we also need to protect our database and the password.

[marijnnn]

small tutorial for md5 hash using.
store your info like this in a database or file:
username :: md5hash of password.
i use a database and have about 25 users in it. if you want, you can even set different rights by a third column. i use the linux method:
read = 1, write, =2, read + write = 3, execute =4, execute +read = 5, execute + write = 6, execute + write + read = 7.
only, it means other things. some users can upload pictures, some can only read info,...

then search google for 'javascript md5'
you'll get a js file and a small document.
and then, before sending the information of the form, you do this:
password.value=md5(password.value);
or something like that. i'm sure you'll find some info on the net how to do it. if not, i'll post the entire code this weekend if you want it.
and then you post the username and md5 hashed password. serverside, you check if there is a match and set the rights with a cookie or something like that.

[mastercomputers]

Let's do this but using HTML, PHP and MySQL. The improvements that you could make is that you create pages to help you manage your database which means you would have a registration page, a forgotten password page and a login page and whatever else you think you would require, concept behind it is a full feature membership login procedure. But for this I will only show you the basics and may provide the complete package in the HOWTO and TUTORIAL section.

So lets begin with setting up our database, hopefully you have a database already created, our one will be named MyDB for this example.

Next we will pass some MySQL query inside phpmyadmin to create the table and entries we require. Since it's only for a simple login, what would we require? We need the username and password. We should have some security features behind this, but for this simple login, we won't be needing that.

CREATE TABLE users (
	userid int(25) NOT NULL auto_increment,
	username varchar(30) NOT NULL default '',
	passwd varchar(255) NOT NULL default '',
	PRIMARY KEY (userid),
	UNIQUE KEY (username)
) TYPE = MyISAM COMMENT =  'MyDB Users';

That create our table we will use to store our username/password,

We then create our first user, using phpmyadmin once again to execute this query.

INSERT INTO `users` (`userid`, `username`, `passwd`)
VALUES (
	'', 'myUserName', PASSWORD('myPassWord')
);

What this does is add a user named myUserName and a password that is myPassWord as well as doing the auto_increment used for userid, which should get set to 1.

Next we write our connection to database file, this is the user that has permissions on the database to be able to access the required information we need, this file we will include in our login script to connect to our database and perform the required tasks. We will call this dbcon.inc.php

<?php
$dbhost = 'localhost';
$dbusername = 'MyDB_username';
$dbpassword = 'MyDB_password';
$database = 'MyDB';

$connection = mysql_connect("$dbhost", "$dbusername", "$dbpassword") or die('Error: Connection to Server failed');
$db = mysql_select_db("$database", $connection) or die('Error:  Database selection failed');
?>

We then create our simple login.html form, not set up nicely, but I'll leave that up to you.

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict //EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-NZ" lang="en-NZ">
	<head>
		<title>
			Login Page
		</title>
	</head>

	<body>
		<form action="/php-bin/login.php" method="post" id="loginform">
			<table summary="login information">
				<tr>
					<td>Username</td>
					<td><input id="username" type="text" name="username" /></td>
				</tr>
				<tr>
					<td>Password</td>
					<td><input id="password" type="password" name="password" /></td>
				</tr>
				<tr>
					<td>&nbsp;</td>
					<td><input type="submit" id="submit" value="Submit" name="submit" /></td>
				</tr>
			</table>
		</form>
	</body>
</html>

Now all we need to do is create our login.php script

<?php
include '../includes/db.inc.php';
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password))
	exit();

$sql = mysql_query("SELECT * FROM users WHERE userid = '1' AND username = '$username' AND passwd = PASSWORD('$password')");
$login_check = mysql_num_rows($sql);

if($login_check > 0)
{
	echo '<' . '?xml version=1.0" encoding="iso-8859-1"?' . '>';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict //EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-NZ" lang="en-NZ">
	<head>
  <title>
 	 Secret Page
  </title>
	</head>
	
	<body>
	<p>blah blah blah blah blah SECRET PAGE blah blah blah</p>
	</body>
</html>
<?php
}
else
	echo "Your login was invalid, Either username or password were incorrect<br />";
?>

And that's it, You just have to make sure that you have a folder called includes (new folder created) for all your included files to go and that the path is correct, that the login.php exists in your php-bin (new folder created). There have been issues with using the word password in MySQL as I believe it's a reserved word, so you might want to change from using password to passwd as I have done in MySQL.

To login you would use myUserName and myPassWord.

This has been tested and verified that it works.


Cheers, MC

[r3d]

I just begin to learn PHP, and very happy to find that it's so similar as C. To save the time, I skiped most of PHP desription. However, now I have something not very sure:
1. How could I keep some pages can be called in the html or php, but could not be viewed from the website? Your method described here may have solved this obstacle already, would you describe it a little more.
2. How could php load the client files to the server?
3. May I display some image(jpg or gif) with php?

I'm anxious to get the help from you, thank you in advance.

<{POST_SNAPBACK}>

1. just save the file in html if you want it in html if in php just put these lines "<?php ?>" in the header before your content and save in php that will be bloop php pages. take note that if your file contains php code you must save it in php or it will not be parse.
2. just a client and server relations
3. yes with php gd functions

and for the code if you want to add some security to your password you could do this

INSERT INTO `users` (`userid`, `username`, `passwd`)
VALUES (
'', 'myUserName', password('myPassWord')
);

[mastercomputers]

1. just save the file in html if you want it in html if in php just put these lines "<?php ?>" in the header before your content and save in php that will be bloop php pages. take note that if your file contains php code you must save it in php or it will not be parse.
2. just a client and server relations 
3. yes with php gd functions 

and for the code if you want to add some security to your password you could do this

INSERT INTO `users` (`userid`, `username`, `passwd`)
VALUES (
'', 'myUserName', password('myPassWord')
);

<{POST_SNAPBACK}>

I took r3d's advice and altered the script to use PASSWORD('myPassWord') as well as altering the check for it to use PASSWORD as well. Script has been tested and works.


Cheers, MC

[sha]

no need of so much circus. just in every control panel this feature will be there. if you cannot fine just go throug help in cpanel

[yordan]

You are "gonna create", but you did not do it yet!

[yordan]

did it! wait for modorator

Huh? How can we know that you wrote your program? Post it here and let's see if a newbie can use it!

[yordan]

ok i meant "waiting" and let me rephrase that. " id did it! im waiting for a mod to aprove it. can you? "
still it needs to be moderated. but to show you i will reply or "quote" with it

Sorry, I did not see that you replied to the present topic with a code shown in another topic. My fault.