Page 1 of 2

REALLY simple login?

Posted: Wed Apr 19, 2006 10:37 am
by m0u53m4t
I want a really simple login thing, that, all it does is say, the file logfile.txt cant be accessed unless you login. I dont even care if the password is in the code!

Posted: Wed Apr 19, 2006 10:41 am
by feyd
Okay, so you have a simple goal.

What have you figured out so far?

Posted: Wed Apr 19, 2006 10:49 am
by m0u53m4t
...That php is confusing :lol: All I want is for someone not to be able to access logfile.txt without having started a session. Can you reconmend a site to start learning php from so I can start on this code please?

Posted: Wed Apr 19, 2006 11:43 am
by John Cartwright

Code: Select all

$username = 'John';
$password = 'password';

if ($username == 'John' && $password == 'password') {
   //display text file
}
else {
   echo 'You must login to view logfile.txt';
}
Theres a start, now you have to work on getting information from forms to grab the username and variable from the form value instead of hardcoding it within the script.. have a look at http://ca3.php.net/manual/en/tutorial.forms.php

Posted: Wed Apr 19, 2006 2:36 pm
by m0u53m4t
So if I have a form like this:

Code: Select all

<html>
	<form action="loginhandler.php" method="get">
		<input type="text" name="username" size="24">
		<p><input type="password" name="password" size="24"></p>
		<p><input type="submit"></p>
	</form>
</html>
and a php code like this:

Code: Select all

<?php
if ($username == 'John' && $password == 'password') {
   //display text file
}
else {

   echo 'You must login to view logfile.txt';
}
?>
Im getting the error "You must login to view logfile.txt" everytime...

Posted: Wed Apr 19, 2006 2:54 pm
by Christopher
How about a form like this:

Code: Select all

<html>
    <span style="color:red"><?php echo $errmsg; ?></span>
	<form action="loginhandler.php" method="post">
		<input type="hidden" name="submitted" value="yes">
		<p><input type="text" name="username" size="24"></p>
		<p><input type="password" name="password" size="24"></p>
		<p><input type="submit"></p>
	</form>
</html>
and PHP code like this (not tested):

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', $_POST['submitted']);

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
    //display text file
} else {
    //display sign-in form with $errmsg
}
?>

Posted: Wed Apr 19, 2006 2:57 pm
by m0u53m4t
I tweaked the script a bit to be

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', $_POST('submitted')

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username');
    $password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password');
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
    //display text file
} else {
    //display sign-in form with $errmsg
}
?>
But im getting this error: Parse error: parse error, unexpected T_VARIABLE in /home/freehost/t35.com/j/u/juniorfiles/loginhandler.php on line 4

Posted: Wed Apr 19, 2006 3:03 pm
by Christopher
I edited the PHP to add closing ']' to the $_POST vars.

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', (isset($_POST['submitted']) ? $_POST['submitted'] : null));

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['username']) ? $_POST['username'] : null));
    $password = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['password']) ? $_POST['password'] : null));
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
?>
The text.
<?php
} else {
?>
<html>
    <span style="color:red"><?php echo $errmsg; ?></span>
   <form action="loginhandler.php" method="post">
      <input type="hidden" name="submitted" value="yes">
      <p><input type="text" name="username" size="24"></p>
      <p><input type="password" name="password" size="24"></p>
      <p><input type="submit"></p>
   </form>
</html> 
<?php
}

Posted: Wed Apr 19, 2006 4:05 pm
by m0u53m4t
Ive been talking to my friend and he made me a script and it works. Here it is:

Code: Select all

<?php  
$username = $_GET["username"]; 
$password = $_GET["password"]; 
 
if ($username == 'John' && $password == 'password') {  
   //display text file  
}  
else {  
  
   echo 'You must login to view logfile.txt';  
}  
?>
With the html:

Code: Select all

<html>
   <form action="loginhandler.php" method="get">
      <input type="text" name="username">
      <p><input type="password" name="password"></p>
      <p><input type="submit"></p>
   </form>
</html>
Now, this is my first idea on how to stop people accessing my file:
I make a file like this-

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com.*$ [NC]
RewriteRule \.(txt)$ - [F]
and saved it as .htaccess.txt , based on this script: http://lissaexplains.com/html6.shtml#direct , but it still doesn't seem to be working.

Posted: Wed Apr 19, 2006 5:43 pm
by andym01480
You are using Apache as a server aren't you - htaccess doesn't work with windows servers!
.htaccess not .htaccess.txt

Also add

<Files .htaccess>
order allow,deny
deny from all
</Files>

which stops people looking at your .htaccess file to see what you are stopping them do!

Never used the Rewrite code, so couldn't tell if you that would work once .htaccess named right. Sorry!

Posted: Thu Apr 20, 2006 3:05 am
by Maugrim_The_Reaper
Forms should use the POST method unless there's a specific reason not to. Also bear in mind you must validate the username and password (or for simplicity amend it such as in aborint's example). Failing to do so, while not immediately a security threat is bad practice - it's not a habit you should fall into. aborint's example is far more robust IMO.

Posted: Thu Apr 20, 2006 8:35 am
by m0u53m4t
Whenever i call something .htaccess or .logfile.txt they just dissapear :roll:

Posted: Thu Apr 20, 2006 9:17 am
by d3ad1ysp0rk
They don't really disappear. They are hidden, like any file that begins with a period.

Posted: Thu Apr 20, 2006 9:49 am
by Maugrim_The_Reaper
Change your directory settings to view hidden files...;)

Posted: Thu Apr 20, 2006 3:36 pm
by m0u53m4t
Im using t35 hosting. I dont think I can do that. Any ideas how else I can do it?