Page 1 of 1

Dynamic password protection of DIR's?

Posted: Fri Nov 12, 2004 3:03 am
by mhulse
Hi,

I am in the process of writing a php script that dynamically generates a folder/html file via submission of a FORM... this is working very good... but I would like to also like to make every folder password protected...

What would be the best way to dynamically generate simple password protection for each dynamically generated folder?

Basically, what I am doing is, creating bids for possible jobs, and I want each bid to be password protected...

I would like to set it up where all I have to do is enter the user name and password via the same form and upon submission the folder with the html bid is then password protected.

Anyway, hopefully I am being clear... any links and/or suggestions/tips would be nice...

Thanks in advance!
Cheers
Micky

Posted: Fri Nov 12, 2004 3:35 am
by rehfeld
if you dont want to use a database, you could simply store the user/pass in a php file in the same folder

have your script create a file w/ the follwing contents in thier directory

Code: Select all

<?php

$username = 'thier username';
$password = 'thier chosen pass';

?>

Code: Select all

<?php

if (they sbmitted a username and password and it is acceptable) {
    $login_file = '<?php
$username = "'.$username.'";
$password  = "'.$password.'";
?>
';
    $fp = @fopen('user_dir/credentials.php', 'w');
    if ($fp) {
        fwrite($fp, $login_file);
        fclose($fp);
    }
}

?>
then, when they want to login,
you could just check if the file exists,
if so, include it,
and then you can do your
if($_POST['password'] === $password) { } etc.....


be very careful when accepting the initial username/password though,
because they could include quotes/backslashes or other stuff that could cause a parse error,
possibly revealing info

maybe just allow a-z and 0-9

you could do something like this before accepting the user and pass

Code: Select all

if (ereg('[^A-Za-z0-9]', $username)){
    echo 'bad';
} else {
    // ok
}

Posted: Fri Nov 12, 2004 6:15 am
by Shendemiar
Try .htacess it's more simplier and safer than php made protection. And you can create the .htaccess file and add the passwords to the passwordfile also with php.

Posted: Sat Nov 13, 2004 7:18 am
by djot
-
Hi,

and be sure you don't allow to (over-)write files/folders in paths below or (up) the path you first thought of! Check the users input for allowed paths/names/etc. .

djot
-

Posted: Sat Nov 13, 2004 2:51 pm
by mhulse
Hi all,

Dang! I did not know I had any replies to this post... my forum contact email was set to an old address... grrr, so by the time I checked this thread I had already come up with a solution... but maybe not the best solution?

(Main PHP code:)

Code: Select all

...
...
...
...
// HTML to be written:
ob_start();

readfile($_SERVER['DOCUMENT_ROOT'].'/quotes/inc/auth.inc.php');

$contents = ob_get_clean();
ob_end_clean();

$contents = str_replace('{log}',$auth_user, $contents);
$contents = str_replace('{pass}',$auth_pass, $contents);
$contents = str_replace('{realm}',$company, $contents);
...
...
...
...
fwrite($fp,$contents);
...
...
(And, here is "auth.inc.php":)

Code: Select all

<?php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
		// If empty, send header causing dialog box to appear
		header('WWW-Authenticate: Basic realm="{realm}"');
		header('HTTP/1.0 401 Unauthorized');
		echo 'Authorization Required.';
		exit;
	} else if (isset($PHP_AUTH_USER)) {
		if (($PHP_AUTH_USER != "{log}") || ($PHP_AUTH_PW != "{pass}")) {
			header('WWW-Authenticate: Basic realm="My Privates"');
			header('HTTP/1.0 401 Unauthorized');
			echo 'Authorization Required.';
			exit;
		} else {
			echo "You're authorized!<br>";
			echo "You have entered this username: $PHP_AUTH_USER<br>";
			echo "You have entered this password: $PHP_AUTH_PW<br>";
		}
}
?>
It actually works pretty good... I mean, for not using a DB...

rehfeld: Thanks for your help, I appreciate it! You have given me some great ideas!

I especcially like this code:

Code: Select all

if (ereg('[^A-Za-z0-9]', $username)){
    echo 'bad';
} else {
    // ok
}
I will be able to use that for other parts of my code....

And thanks Shendemiar and djot for the input, I really appreciate it... I have learned so much from people like you all... I love PHP, it rocks!

Cheers m8's,
Micky

Posted: Sat Nov 13, 2004 3:01 pm
by djot
-
Hi,

What the folders are needed for? Perhaps you don't really need "real" folders. Then it might be possible to only work with the database and show a virtual path/folders menu to the user.

There was a topic about "virtual folders" in the forum within the last 1-2 days ...

djot
-

Posted: Sat Nov 13, 2004 3:13 pm
by mhulse
Ooooh, good call, that sounds like an interesting way to do this...

This is a script that will allow me to make totally customizable bids on web-design jobs... it creates folders with the PHP file bids inside (which are password protected, with passwords unique to client)... I am also eventually going to have another script that will delete folders/files older than 14 days...

Virtual folders may be the way to do it though, I will do a search, thanks for the info djot, I appreciate it! :D

m

Posted: Sat Nov 13, 2004 3:22 pm
by djot
-
Hi,

So you use folders that are pasword protected only to store the bid's to whatever jobs/etc.?? Why you don't store that information inside a database? You don't store any data/scripts/files/images. You don't need any files or folders I guess. Not even the virtual ones I mentioned before.

djot
-