Page 1 of 1
Dynamic password protection of DIR's?
Posted: Fri Nov 12, 2004 3:03 am
by mhulse
Hi,
I am in the process of writing a php script that dynamically generates a folder/html file via submission of a FORM... this is working very good... but I would like to also like to make every folder password protected...
What would be the best way to dynamically generate simple password protection for each dynamically generated folder?
Basically, what I am doing is, creating bids for possible jobs, and I want each bid to be password protected...
I would like to set it up where all I have to do is enter the user name and password via the same form and upon submission the folder with the html bid is then password protected.
Anyway, hopefully I am being clear... any links and/or suggestions/tips would be nice...
Thanks in advance!
Cheers
Micky
Posted: Fri Nov 12, 2004 3:35 am
by rehfeld
if you dont want to use a database, you could simply store the user/pass in a php file in the same folder
have your script create a file w/ the follwing contents in thier directory
Code: Select all
<?php
$username = 'thier username';
$password = 'thier chosen pass';
?>
Code: Select all
<?php
if (they sbmitted a username and password and it is acceptable) {
$login_file = '<?php
$username = "'.$username.'";
$password = "'.$password.'";
?>
';
$fp = @fopen('user_dir/credentials.php', 'w');
if ($fp) {
fwrite($fp, $login_file);
fclose($fp);
}
}
?>
then, when they want to login,
you could just check if the file exists,
if so, include it,
and then you can do your
if($_POST['password'] === $password) { } etc.....
be very careful when accepting the initial username/password though,
because they could include quotes/backslashes or other stuff that could cause a parse error,
possibly revealing info
maybe just allow a-z and 0-9
you could do something like this before accepting the user and pass
Code: Select all
if (ereg('[^A-Za-z0-9]', $username)){
echo 'bad';
} else {
// ok
}
Posted: Fri Nov 12, 2004 6:15 am
by Shendemiar
Try .htacess it's more simplier and safer than php made protection. And you can create the .htaccess file and add the passwords to the passwordfile also with php.
Posted: Sat Nov 13, 2004 7:18 am
by djot
-
Hi,
and be sure you don't allow to (over-)write files/folders in paths below or (up) the path you first thought of! Check the users input for allowed paths/names/etc. .
djot
-
Posted: Sat Nov 13, 2004 2:51 pm
by mhulse
Hi all,
Dang! I did not know I had any replies to this post... my forum contact email was set to an old address... grrr, so by the time I checked this thread I had already come up with a solution... but maybe not the best solution?
(Main PHP code:)
Code: Select all
...
...
...
...
// HTML to be written:
ob_start();
readfile($_SERVER['DOCUMENT_ROOT'].'/quotes/inc/auth.inc.php');
$contents = ob_get_clean();
ob_end_clean();
$contents = str_replace('{log}',$auth_user, $contents);
$contents = str_replace('{pass}',$auth_pass, $contents);
$contents = str_replace('{realm}',$company, $contents);
...
...
...
...
fwrite($fp,$contents);
...
...
(And, here is "auth.inc.php":)
Code: Select all
<?php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="{realm}"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
} else if (isset($PHP_AUTH_USER)) {
if (($PHP_AUTH_USER != "{log}") || ($PHP_AUTH_PW != "{pass}")) {
header('WWW-Authenticate: Basic realm="My Privates"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
} else {
echo "You're authorized!<br>";
echo "You have entered this username: $PHP_AUTH_USER<br>";
echo "You have entered this password: $PHP_AUTH_PW<br>";
}
}
?>
It actually works pretty good... I mean, for not using a DB...
rehfeld: Thanks for your help, I appreciate it! You have given me some great ideas!
I especcially like this code:
Code: Select all
if (ereg('[^A-Za-z0-9]', $username)){
echo 'bad';
} else {
// ok
}
I will be able to use that for other parts of my code....
And thanks
Shendemiar and
djot for the input, I really appreciate it... I have learned so much from people like you all... I love PHP, it rocks!
Cheers m8's,
Micky
Posted: Sat Nov 13, 2004 3:01 pm
by djot
-
Hi,
What the folders are needed for? Perhaps you don't really need "real" folders. Then it might be possible to only work with the database and show a virtual path/folders menu to the user.
There was a topic about "virtual folders" in the forum within the last 1-2 days ...
djot
-
Posted: Sat Nov 13, 2004 3:13 pm
by mhulse
Ooooh, good call, that sounds like an interesting way to do this...
This is a script that will allow me to make totally customizable bids on web-design jobs... it creates folders with the PHP file bids inside (which are password protected, with passwords unique to client)... I am also eventually going to have another script that will delete folders/files older than 14 days...
Virtual folders may be the way to do it though, I will do a search, thanks for the info djot, I appreciate it!
m
Posted: Sat Nov 13, 2004 3:22 pm
by djot
-
Hi,
So you use folders that are pasword protected only to store the bid's to whatever jobs/etc.?? Why you don't store that information inside a database? You don't store any data/scripts/files/images. You don't need any files or folders I guess. Not even the virtual ones I mentioned before.
djot
-