REALLY simple login?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I edited the PHP to add closing ']' to the $_POST vars.

Code: Select all

<?php
$submitted = preg_replace('/[^a-zA-Z]/', '', (isset($_POST['submitted']) ? $_POST['submitted'] : null));

$errmsg = '';
$valid = false;
if ($submitted == 'yes') {
    $username = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['username']) ? $_POST['username'] : null));
    $password = preg_replace('/[^a-zA-Z0-9]/', '', (isset($_POST['password']) ? $_POST['password'] : null));
    if ($username == 'John' && $password == 'password') {
       $valid = true;
    } else {
       $errmsg = 'You must login to view logfile.txt';
    }
}

if ($valid) {
?>
The text.
<?php
} else {
?>
<html>
    <span style="color:red"><?php echo $errmsg; ?></span>
   <form action="loginhandler.php" method="post">
      <input type="hidden" name="submitted" value="yes">
      <p><input type="text" name="username" size="24"></p>
      <p><input type="password" name="password" size="24"></p>
      <p><input type="submit"></p>
   </form>
</html> 
<?php
}
(#10850)
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Ive been talking to my friend and he made me a script and it works. Here it is:

Code: Select all

<?php  
$username = $_GET["username"]; 
$password = $_GET["password"]; 
 
if ($username == 'John' && $password == 'password') {  
   //display text file  
}  
else {  
  
   echo 'You must login to view logfile.txt';  
}  
?>
With the html:

Code: Select all

<html>
   <form action="loginhandler.php" method="get">
      <input type="text" name="username">
      <p><input type="password" name="password"></p>
      <p><input type="submit"></p>
   </form>
</html>
Now, this is my first idea on how to stop people accessing my file:
I make a file like this-

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google.com.*$ [NC]
RewriteRule \.(txt)$ - [F]
and saved it as .htaccess.txt , based on this script: http://lissaexplains.com/html6.shtml#direct , but it still doesn't seem to be working.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

You are using Apache as a server aren't you - htaccess doesn't work with windows servers!
.htaccess not .htaccess.txt

Also add

<Files .htaccess>
order allow,deny
deny from all
</Files>

which stops people looking at your .htaccess file to see what you are stopping them do!

Never used the Rewrite code, so couldn't tell if you that would work once .htaccess named right. Sorry!
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Forms should use the POST method unless there's a specific reason not to. Also bear in mind you must validate the username and password (or for simplicity amend it such as in aborint's example). Failing to do so, while not immediately a security threat is bad practice - it's not a habit you should fall into. aborint's example is far more robust IMO.
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Whenever i call something .htaccess or .logfile.txt they just dissapear :roll:
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

They don't really disappear. They are hidden, like any file that begins with a period.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Change your directory settings to view hidden files...;)
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

Im using t35 hosting. I dont think I can do that. Any ideas how else I can do it?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

m0u53m4t wrote:Im using t35 hosting. I dont think I can do that. Any ideas how else I can do it?
In unix/linux files that begin with a dot are hidden files. You should still be able to access them over FTP if you check you FTP client's settings to show dot files or show hidden files.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If you have ssh you can run the command:

ls -la

A fair number of FTP clients should have View settings to enable the viewing of hidden files. A google search for your ftp client and "view hidden files" should turn up the relevant tips.
User avatar
m0u53m4t
Forum Contributor
Posts: 101
Joined: Wed Apr 19, 2006 7:47 am
Location: Wales

Post by m0u53m4t »

I did that, but I still cant see it. how else can I block the viewing of the file? The only solution so far is with CHMOD.
Post Reply