Deny HTTP access of a folder on server
Posted: Tue Feb 01, 2011 4:47 pm
First off I want to start off saying that I don't know anything about PHP so I would appreciate all the help I can get.
So I have a website hosted on godaddy where I upload files for my clients. With the help of a friend I made a simple login system with usernames and passwords. So problem is that although the websites can't be accessed without inputting the username and password, the files suchs as .jpg can be accessed by direct input in the browser. I want it to be so that the only way the files and webpages are accessed is if they have a username and password. Also I want each user to be able to access only their own files and not the others. So here is my code and if there are any additional changes that need to be made to avoid hacking I will greatly appreciate the input.
index.php file code for the form that is being used to input username and password:
checklogin.php: (if correct username and password is entered, it goes to the username webpage. if not it goes to the wrong username or password webpage
username1.php: (webapge for first user that contains files)
username2.php: (webapge for first user that contains files)
So I have a website hosted on godaddy where I upload files for my clients. With the help of a friend I made a simple login system with usernames and passwords. So problem is that although the websites can't be accessed without inputting the username and password, the files suchs as .jpg can be accessed by direct input in the browser. I want it to be so that the only way the files and webpages are accessed is if they have a username and password. Also I want each user to be able to access only their own files and not the others. So here is my code and if there are any additional changes that need to be made to avoid hacking I will greatly appreciate the input.
index.php file code for the form that is being used to input username and password:
Code: Select all
<form name="form1" method="post" action="checklogin.php">
<div class="lefts">
<p>Login:</p>
<p>Password:</p>
</div>
<div>
<input name="myusername" type="text" id="myusername" />
<input name="mypassword" type="password" id="mypassword" />
</div>
<div><input type="image" name="Submit" id="submit" value="Login" src="images/submitOff.png" /></div>
</form>
Code: Select all
<?php
ob_start();
session_start();
$host="hostname"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="dbnamey"; // Database name
$tbl_name="tablename"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
//returns false if no results returned
$row = mysql_fetch_row($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($row){
// Register $myusername, $mypassword and redirect to file
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
$myPage = $myusername.".php";
$_SESSION["myPage"] = $myPage;
header("location:".$myPage);
}
else {
header("location:index2.php");
}
ob_end_flush();
?>
username1.php: (webapge for first user that contains files)
Code: Select all
<?
session_start();
if(
//!session_is_registered(myusername)
!isset($_SESSION["myusername"]) ||
$_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>
<html>
//content that consist of links to the files
<a href="ready/username1/file.png">Png 1</a>
</html>
username2.php: (webapge for first user that contains files)
Code: Select all
<?
session_start();
if(
//!session_is_registered(myusername)
!isset($_SESSION["myusername"]) ||
$_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>
<html>
//content that consist of links to the files
<a href="ready/username2/file.png">Png 1</a>
</html>