Page 1 of 1

PHP Site Protection

Posted: Wed May 27, 2009 1:34 pm
by brianleighty
Hi, I am working on a script to protect an entire site from unauthorized access. I am using mod_rewrite in the .htaccess to forward all request to the authorization php script then based on whether they are authorized either reading the file or showing a login page. For the most part, everything is working. readfile in combination with the correct headers works fine for all files except php files which are not parsed before output. To get around this, I am doing a check on the extension and if it's php then it should do an include instead of reading the file. Now for some reason, on some pages on the site, it goes through and works just fine but on other pages it seems to stop short and not load all the elements or html. Below is the code. If anybody has any idea why this isn't working or a better idea for protecting an entire site I'd appreciate it. Thanks.

Code: Select all

<?PHP
error_reporting(E_ALL);
ini_set('display_errors', '1');
require('db-config.php');
mysql_connect('localhost',$username,$password);
mysql_select_db($database);
 
$username = '';
$password = '';
 
if(isset($_COOKIE['password']) && isset($_COOKIE['username'])){
$username = $_COOKIE['username'];
$password = $_COOKIE['password'];
}
 
if(isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
}
 
$verification_query = mysql_query("SELECT ID FROM users WHERE username='$username' AND password='$password'");
$valid_user = mysql_num_rows($verification_query);
if($valid_user == 1){
        if(!isset($_COOKIE['password']) && !isset($_COOKIE['username'])){
        setcookie('username',$username,0);
        setcookie('password',$password,0);
        }
    
        $link = $_SERVER['DOCUMENT_ROOT'] . $_SERVER['REQUEST_URI'];
    
       $mime_types = array("323" => "text/h323",
"acx" => "application/internet-property-stream",
"ai" => "application/postscript",
"aif" => "audio/x-aiff",
"aifc" => "audio/x-aiff",
"aiff" => "audio/x-aiff",
"asf" => "video/x-ms-asf",
"asr" => "video/x-ms-asf",
"asx" => "video/x-ms-asf",
"au" => "audio/basic",
"avi" => "video/x-msvideo",
"axs" => "application/olescript",
"bas" => "text/plain",
"bcpio" => "application/x-bcpio",
"bin" => "application/octet-stream",
"bmp" => "image/bmp",
"c" => "text/plain",
"cat" => "application/vnd.ms-pkiseccat",
"cdf" => "application/x-cdf",
"cer" => "application/x-x509-ca-cert",
"class" => "application/octet-stream",
"clp" => "application/x-msclip",
"cmx" => "image/x-cmx",
"cod" => "image/cis-cod",
"cpio" => "application/x-cpio",
"crd" => "application/x-mscardfile",
"crl" => "application/pkix-crl",
"crt" => "application/x-x509-ca-cert",
"csh" => "application/x-csh",
"css" => "text/css",
"dcr" => "application/x-director",
"der" => "application/x-x509-ca-cert",
"dir" => "application/x-director",
"dll" => "application/x-msdownload",
"dms" => "application/octet-stream",
"doc" => "application/msword",
"dot" => "application/msword",
"dvi" => "application/x-dvi",
"dxr" => "application/x-director",
"eps" => "application/postscript",
"etx" => "text/x-setext",
"evy" => "application/envoy",
"exe" => "application/octet-stream",
"fif" => "application/fractals",
"flr" => "x-world/x-vrml",
"gif" => "image/gif",
"gtar" => "application/x-gtar",
"gz" => "application/x-gzip",
"h" => "text/plain",
"hdf" => "application/x-hdf",
"hlp" => "application/winhlp",
"hqx" => "application/mac-binhex40",
"hta" => "application/hta",
"htc" => "text/x-component",
"htm" => "text/html",
"html" => "text/html",
"htt" => "text/webviewhtml",
"ico" => "image/x-icon",
"ief" => "image/ief",
"iii" => "application/x-iphone",
"ins" => "application/x-internet-signup",
"isp" => "application/x-internet-signup",
"jfif" => "image/pipeg",
"jpe" => "image/jpeg",
"jpeg" => "image/jpeg",
"jpg" => "image/jpeg",
"js" => "application/x-javascript",
"latex" => "application/x-latex",
"lha" => "application/octet-stream",
"lsf" => "video/x-la-asf",
"lsx" => "video/x-la-asf",
"lzh" => "application/octet-stream",
"m13" => "application/x-msmediaview",
"m14" => "application/x-msmediaview",
"m3u" => "audio/x-mpegurl",
"man" => "application/x-troff-man",
"mdb" => "application/x-msaccess",
"me" => "application/x-troff-me",
"mht" => "message/rfc822",
"mhtml" => "message/rfc822",
"mid" => "audio/mid",
"mny" => "application/x-msmoney",
"mov" => "video/quicktime",
"movie" => "video/x-sgi-movie",
"mp2" => "video/mpeg",
"mp3" => "audio/mpeg",
"mpa" => "video/mpeg",
"mpe" => "video/mpeg",
"mpeg" => "video/mpeg",
"mpg" => "video/mpeg",
"mpp" => "application/vnd.ms-project",
"mpv2" => "video/mpeg",
"ms" => "application/x-troff-ms",
"mvb" => "application/x-msmediaview",
"nws" => "message/rfc822",
"oda" => "application/oda",
"p10" => "application/pkcs10",
"p12" => "application/x-pkcs12",
"p7b" => "application/x-pkcs7-certificates",
"p7c" => "application/x-pkcs7-mime",
"p7m" => "application/x-pkcs7-mime",
"p7r" => "application/x-pkcs7-certreqresp",
"p7s" => "application/x-pkcs7-signature",
"pbm" => "image/x-portable-bitmap",
"pdf" => "application/pdf",
"pfx" => "application/x-pkcs12",
"pgm" => "image/x-portable-graymap",
"pko" => "application/ynd.ms-pkipko",
"pma" => "application/x-perfmon",
"pmc" => "application/x-perfmon",
"pml" => "application/x-perfmon",
"pmr" => "application/x-perfmon",
"pmw" => "application/x-perfmon",
"pnm" => "image/x-portable-anymap",
"pot" => "application/vnd.ms-powerpoint",
"ppm" => "image/x-portable-pixmap",
"pps" => "application/vnd.ms-powerpoint",
"ppt" => "application/vnd.ms-powerpoint",
"prf" => "application/pics-rules",
"ps" => "application/postscript",
"pub" => "application/x-mspublisher",
"qt" => "video/quicktime",
"ra" => "audio/x-pn-realaudio",
"ram" => "audio/x-pn-realaudio",
"ras" => "image/x-cmu-raster",
"rgb" => "image/x-rgb",
"rmi" => "audio/mid",
"roff" => "application/x-troff",
"rtf" => "application/rtf",
"rtx" => "text/richtext",
"scd" => "application/x-msschedule",
"sct" => "text/scriptlet",
"setpay" => "application/set-payment-initiation",
"setreg" => "application/set-registration-initiation",
"sh" => "application/x-sh",
"shar" => "application/x-shar",
"sit" => "application/x-stuffit",
"snd" => "audio/basic",
"spc" => "application/x-pkcs7-certificates",
"spl" => "application/futuresplash",
"src" => "application/x-wais-source",
"sst" => "application/vnd.ms-pkicertstore",
"stl" => "application/vnd.ms-pkistl",
"stm" => "text/html",
"svg" => "image/svg+xml",
"sv4cpio" => "application/x-sv4cpio",
"sv4crc" => "application/x-sv4crc",
"t" => "application/x-troff",
"tar" => "application/x-tar",
"tcl" => "application/x-tcl",
"tex" => "application/x-tex",
"texi" => "application/x-texinfo",
"texinfo" => "application/x-texinfo",
"tgz" => "application/x-compressed",
"tif" => "image/tiff",
"tiff" => "image/tiff",
"tr" => "application/x-troff",
"trm" => "application/x-msterminal",
"tsv" => "text/tab-separated-values",
"txt" => "text/plain",
"uls" => "text/iuls",
"ustar" => "application/x-ustar",
"vcf" => "text/x-vcard",
"vrml" => "x-world/x-vrml",
"wav" => "audio/x-wav",
"wcm" => "application/vnd.ms-works",
"wdb" => "application/vnd.ms-works",
"wks" => "application/vnd.ms-works",
"wmf" => "application/x-msmetafile",
"wps" => "application/vnd.ms-works",
"wri" => "application/x-mswrite",
"wrl" => "x-world/x-vrml",
"wrz" => "x-world/x-vrml",
"xaf" => "x-world/x-vrml",
"xbm" => "image/x-xbitmap",
"xla" => "application/vnd.ms-excel",
"xlc" => "application/vnd.ms-excel",
"xlm" => "application/vnd.ms-excel",
"xls" => "application/vnd.ms-excel",
"xlt" => "application/vnd.ms-excel",
"xlw" => "application/vnd.ms-excel",
"xof" => "x-world/x-vrml",
"xpm" => "image/x-xpixmap",
"xwd" => "image/x-xwindowdump",
"z" => "application/x-compress",
"zip" => "application/zip");
    
    
        $ext = end(explode('.',$link));
    
    
    if(isset($mime_types[$ext])){
    header("Content-Type: ". $mime_types[$ext]);
    }
           header("Content-Length: ".@filesize($link));
            if($ext == 'php'){
        include($link);
        }
        else{
           readfile($link);
            }
        
}
else{
    if($_SERVER['REQUEST_URI'] != '/SECURED/'){
    $login_required = 1;
    }
include('../index.php');
}
?>

Re: PHP Site Protection

Posted: Wed May 27, 2009 1:40 pm
by Christopher
Use a Front Controller and move the site's code outside your public HTML directory.

Re: PHP Site Protection

Posted: Wed May 27, 2009 2:46 pm
by brianleighty
arborint wrote:Use a Front Controller and move the site's code outside your public HTML directory.
Alright the only problem with that is I would like to be able to do php includes so that items like the menu can be shared with all the pages. I would guess .shtml files wouldn't work correctly either.

Re: PHP Site Protection

Posted: Wed May 27, 2009 2:54 pm
by brianleighty
Ok, so I think I know what's 'causing the problem but I don't know how to fix it. Inside of the some of my pages I have a php include for a menu. This menu has links to some images and javascript. When I remove these external file references the page loads fine. Does anybody know any way to fix this?

Re: PHP Site Protection

Posted: Wed May 27, 2009 3:20 pm
by Christopher
brianleighty wrote:Alright the only problem with that is I would like to be able to do php includes so that items like the menu can be shared with all the pages. I would guess .shtml files wouldn't work correctly either.
You can do any PHP includes that you want and share anything you want. Everything in PHP works the same, your just going through a Front Controller script.