Page 1 of 1

Password script ..how to protect pages?

Posted: Thu Jan 19, 2006 2:07 pm
by thx1138
feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]


OK.. I am not a PHP coder but more like a generic guy who can make web pages and "Play" with codes.
I have used a tutorial to make a simple passsword login form to allow users into a different part of a 
website. However, the tutorial does not show how to actually "Protect" the pages that you want secure...
Lame I know...

Here is the code for the login ( it all works and I already have the database set up as well     )

Code: Select all

<?php require_once('Connections/herewego.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "dldmain/dldmain.php";
  $MM_redirectLoginFailed = "invalid.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_herewego, $herewego);
  
  $LoginRS__query=sprintf("SELECT user, user FROM test WHERE user='%s' AND user='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password)); 
   
  $LoginRS = mysql_query($LoginRS__query, $herewego) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
    
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;	      


	

    //register the session variables
    session_register("MM_Username");
    session_register("MM_UserGroup");

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
		  }
}
?>

HTML stuff goes here....

This is what the form calls to activate.

Code: Select all

<form name='form1' id='login' method='post' action="<?php echo $loginFormAction; ?>">

So what "exactly" do my protected pages need in terms of PHP to only allow
logged in viewers access?

I would appreciate any help. :?


Thanks


THX1138


feyd | Please use

Code: Select all

and

Code: Select all

tags where appropriate when posting code. Read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url][/color]

Posted: Thu Jan 19, 2006 2:19 pm
by pickle
It looks like that login page creates a session when a person successfully logs in. You need each page you want to secure to check that session (maybe verify it against the DB contents) to see if the user is authenticated. You can easily do that by including an authentication check page at the top of each page:

Code: Select all

<?PHP

require_once('check_if_user_is_authenticated.php');

//the rest of the page

?>
That included page would then check the session to see if the user is authenticated:

Code: Select all

if(isset($_SESSION['MM_Username']))
{
   check_if_session_username_is_authenticated_in_db();
   if(user_not_authenticated)
   {
      dump_an_error_message();
      exit();
   }
   //if user is authenticated, you don't need to do anything
}

Posted: Thu Jan 19, 2006 2:30 pm
by thx1138
I understand this idea of putting this

Code: Select all

<?PHP 
require_once('check_if_user_is_authenticated.php'); 
//the rest of the page 
?>
ontop of all the "secure" pages, but
will that code work as is right now? Or do I need to change it somehow.

As for the second PHP part you listed..? I cannot find that in my original php file,
is this something I need to add somewhere?



Thanks



THX1138

Posted: Thu Jan 19, 2006 2:37 pm
by Chris Corbyn
thx1138 wrote:I understand this idea of putting this

Code: Select all

<?PHP 
require_once('check_if_user_is_authenticated.php'); 
//the rest of the page 
?>
ontop of all the "secure" pages, but
will that code work as is right now? Or do I need to change it somehow.

As for the second PHP part you listed..? I cannot find that in my original php file,
is this something I need to add somewhere?



Thanks



THX1138
That was actually just pseudo code... it's supposed to indicate the idea of what to do without giving you the code outright ;)

Posted: Thu Jan 19, 2006 3:12 pm
by thx1138
Alright...I have read through your suggestions and put this ontop
of my "secure" pages...

Code: Select all

<?php require_once('../Connections/herewego.php'); ?>
However you can still get into them without going throught the original
login form...?


I hate to be so lame.... but what am I missing. :cry:





THX1138