Dynamic password protection of DIR's?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mhulse
Forum Commoner
Posts: 41
Joined: Fri Jun 11, 2004 12:50 am

Dynamic password protection of DIR's?

Post by mhulse »

Hi,

I am in the process of writing a php script that dynamically generates a folder/html file via submission of a FORM... this is working very good... but I would like to also like to make every folder password protected...

What would be the best way to dynamically generate simple password protection for each dynamically generated folder?

Basically, what I am doing is, creating bids for possible jobs, and I want each bid to be password protected...

I would like to set it up where all I have to do is enter the user name and password via the same form and upon submission the folder with the html bid is then password protected.

Anyway, hopefully I am being clear... any links and/or suggestions/tips would be nice...

Thanks in advance!
Cheers
Micky
rehfeld
Forum Regular
Posts: 741
Joined: Mon Oct 18, 2004 8:14 pm

Post by rehfeld »

if you dont want to use a database, you could simply store the user/pass in a php file in the same folder

have your script create a file w/ the follwing contents in thier directory

Code: Select all

<?php

$username = 'thier username';
$password = 'thier chosen pass';

?>

Code: Select all

<?php

if (they sbmitted a username and password and it is acceptable) {
    $login_file = '<?php
$username = "'.$username.'";
$password  = "'.$password.'";
?>
';
    $fp = @fopen('user_dir/credentials.php', 'w');
    if ($fp) {
        fwrite($fp, $login_file);
        fclose($fp);
    }
}

?>
then, when they want to login,
you could just check if the file exists,
if so, include it,
and then you can do your
if($_POST['password'] === $password) { } etc.....


be very careful when accepting the initial username/password though,
because they could include quotes/backslashes or other stuff that could cause a parse error,
possibly revealing info

maybe just allow a-z and 0-9

you could do something like this before accepting the user and pass

Code: Select all

if (ereg('[^A-Za-z0-9]', $username)){
    echo 'bad';
} else {
    // ok
}
Shendemiar
Forum Contributor
Posts: 404
Joined: Thu Jan 08, 2004 8:28 am

Post by Shendemiar »

Try .htacess it's more simplier and safer than php made protection. And you can create the .htaccess file and add the passwords to the passwordfile also with php.
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
Hi,

and be sure you don't allow to (over-)write files/folders in paths below or (up) the path you first thought of! Check the users input for allowed paths/names/etc. .

djot
-
mhulse
Forum Commoner
Posts: 41
Joined: Fri Jun 11, 2004 12:50 am

Post by mhulse »

Hi all,

Dang! I did not know I had any replies to this post... my forum contact email was set to an old address... grrr, so by the time I checked this thread I had already come up with a solution... but maybe not the best solution?

(Main PHP code:)

Code: Select all

...
...
...
...
// HTML to be written:
ob_start();

readfile($_SERVER['DOCUMENT_ROOT'].'/quotes/inc/auth.inc.php');

$contents = ob_get_clean();
ob_end_clean();

$contents = str_replace('{log}',$auth_user, $contents);
$contents = str_replace('{pass}',$auth_pass, $contents);
$contents = str_replace('{realm}',$company, $contents);
...
...
...
...
fwrite($fp,$contents);
...
...
(And, here is "auth.inc.php":)

Code: Select all

<?php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
		// If empty, send header causing dialog box to appear
		header('WWW-Authenticate: Basic realm="{realm}"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;
	} else if (isset($PHP_AUTH_USER)) {
		if (($PHP_AUTH_USER != "{log}") || ($PHP_AUTH_PW != "{pass}")) {
			header('WWW-Authenticate: Basic realm="My Privates"');
			header('HTTP/1.0 401 Unauthorized');
			echo 'Authorization Required.';
			exit;
		} else {
			echo "You're authorized!<br>";
			echo "You have entered this username: $PHP_AUTH_USER<br>";
			echo "You have entered this password: $PHP_AUTH_PW<br>";
		}
}
?>
It actually works pretty good... I mean, for not using a DB...

rehfeld: Thanks for your help, I appreciate it! You have given me some great ideas!

I especcially like this code:

Code: Select all

if (ereg('[^A-Za-z0-9]', $username)){
    echo 'bad';
} else {
    // ok
}
I will be able to use that for other parts of my code....

And thanks Shendemiar and djot for the input, I really appreciate it... I have learned so much from people like you all... I love PHP, it rocks!

Cheers m8's,
Micky
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
Hi,

What the folders are needed for? Perhaps you don't really need "real" folders. Then it might be possible to only work with the database and show a virtual path/folders menu to the user.

There was a topic about "virtual folders" in the forum within the last 1-2 days ...

djot
-
mhulse
Forum Commoner
Posts: 41
Joined: Fri Jun 11, 2004 12:50 am

Post by mhulse »

Ooooh, good call, that sounds like an interesting way to do this...

This is a script that will allow me to make totally customizable bids on web-design jobs... it creates folders with the PHP file bids inside (which are password protected, with passwords unique to client)... I am also eventually going to have another script that will delete folders/files older than 14 days...

Virtual folders may be the way to do it though, I will do a search, thanks for the info djot, I appreciate it! :D

m
djot
Forum Contributor
Posts: 313
Joined: Wed Jan 14, 2004 10:21 am
Location: planet earth
Contact:

Post by djot »

-
Hi,

So you use folders that are pasword protected only to store the bid's to whatever jobs/etc.?? Why you don't store that information inside a database? You don't store any data/scripts/files/images. You don't need any files or folders I guess. Not even the virtual ones I mentioned before.

djot
-
Post Reply