- Impact
- 0
Mainly just a page I worked on to block access to specific pages on your site. Not very specific, and I am not %100 sure how secure it is though. It also isn't very compact.
Note: This uses a MySQL database for storage of usernames and passwords.
And the db_settings.inc.php file looks like this.
This allows you to use the same database throughout the website. Also, I know you can create mysql objects, but I could never get them to work properly.
To finish it off, add this script to the top of whichever pages you want blocked.
This is just what I use. If there is any security problems with this I would really like to know.
Note: This uses a MySQL database for storage of usernames and passwords.
PHP:
<html>
<head></head>
<body>
<div align="center">
<?php
session_start();
if ($_SESSION['auth'] == 1) {
// check if authentication was performed
echo 'You Are Already Logged In!';
}
else {
if (isset($_POST['name']) || isset($_POST['pass'])) {
// form has been submitted
// check inputs for required values
if (empty($_POST['name'])) {
die ("ERROR: Please Enter Username!");
}
if (empty($_POST['pass'])) {
die ("ERROR: Please Enter Password!");
}
// include database settings
define('IN_SCRIPT',1);
require_once('db_settings.inc.php');
$query = "SELECT * FROM users WHERE user = '" . $_POST['name'] . "'";
$result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());
if (mysql_num_rows($result) < 1) {
die('ERROR: Incorrect Username!');
}
else {
$row = mysql_fetch_row($result);
$salt = $row[1];
}
// create query
$query = "SELECT * FROM users WHERE user = '" . $_POST['name'] . "' AND pass = '".crypt($_POST['pass'], $salt)."'";
// execute query
$result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());
// see if any rows were returned
if (mysql_num_rows($result) == 1) {
// if a row was returned
// authentication was successful
// create session and set cookie with username
$_SESSION['auth'] = 1;
setcookie("username", $_POST['name'], time()+(84600*30));
echo "Access Granted!";
}
else {
// authentication failed
echo "ERROR: Incorrect Password!";
}
// free result set memory and close db
mysql_free_result($result);
mysql_close($connection);
}
else {
// no submission
// display login form
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Username: <input type="text" name="name" value="<?php echo $_COOKIE['username']; ?>">
<p />
Password: <input type="password" name="pass">
<p />
<input type="submit" name="submit" value="Log In">
<?php
}
}
?>
</div>
</body>
</html>
And the db_settings.inc.php file looks like this.
PHP:
<?php
if (!defined('IN_SCRIPT')) {die('**Unauthorized Access!**');}
// set the variables used to connect
$host = "localhost";
$user = "user";
$pass = "pass";
$db = "db";
// open the connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");
// select which database to use.
mysql_select_db($db) or die ("Unable to select database!");
?>
This allows you to use the same database throughout the website. Also, I know you can create mysql objects, but I could never get them to work properly.
To finish it off, add this script to the top of whichever pages you want blocked.
PHP:
<?php
session_start();
if (!$_SESSION['auth'] == 1) {
// check if access permitted
// display error and die
echo "<div align=\"center\">ERROR: Unauthorized Access!<br>";
die;
}
else {
?>
This is just what I use. If there is any security problems with this I would really like to know.