[PHP] Basic Password Protected Area

Cavemaneca · 12-12-2008, 07:30 PM

Mainly just a page I worked on to block access to specific pages on your site. Not very specific, and I am not %100 sure how secure it is though. It also isn't very compact.
Note: This uses a MySQL database for storage of usernames and passwords.

PHP Code:

 
<html>

<head></head>

<body>

<div align="center">

<?php 

        session_start();

if ($_SESSION['auth'] == 1) { 

    // check if authentication was performed 

    echo 'You Are Already Logged In!';

} 

else {

if (isset($_POST['name']) || isset($_POST['pass'])) { 

    // form has been submitted 

    // check inputs for required values 

    if (empty($_POST['name'])) { 

        die ("ERROR: Please Enter Username!"); 

    } 

    if (empty($_POST['pass'])) { 

        die ("ERROR: Please Enter Password!"); 

    } 

 
    // include database settings

    define('IN_SCRIPT',1);

    require_once('db_settings.inc.php');

 
    $query = "SELECT * FROM users WHERE user = '" . $_POST['name'] . "'";     

    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); 

    

        if (mysql_num_rows($result) < 1) {

        die('ERROR: Incorrect Username!');

        }

        else {    

    $row = mysql_fetch_row($result);

        $salt = $row[1];

        }

         

    // create query 

    $query = "SELECT * FROM users WHERE user = '" . $_POST['name'] . "' AND pass = '".crypt($_POST['pass'], $salt)."'";

     

    // execute query 

    $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); 

     

    // see if any rows were returned 

    if (mysql_num_rows($result) == 1) { 

        // if a row was returned 

        // authentication was successful 

        // create session and set cookie with username  

        $_SESSION['auth'] = 1; 

        setcookie("username", $_POST['name'], time()+(84600*30)); 

        echo "Access Granted!"; 

    } 

    else { 

        // authentication failed 

        echo "ERROR: Incorrect Password!"; 

    } 

     

    // free result set memory  and close db

    mysql_free_result($result);

    mysql_close($connection); 

} 

else { 

    // no submission 

    // display login form 

?> 

 
    <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 

????: NamePros.com http://www.namepros.com/code/542007-php-basic-password-protected-area.html
    Username: <input type="text" name="name" value="<?php echo $_COOKIE['username']; ?>"> 

    <p /> 

    Password: <input type="password" name="pass"> 

    <p /> 

    <input type="submit" name="submit" value="Log In"> 

 
<?php 

} 

}

?>

</div>

</body>

</html>

And the db_settings.inc.php file looks like this.

PHP Code:

  <?php

 
if (!defined('IN_SCRIPT')) {die('**Unauthorized Access!**');}

 
 
// set the variables used to connect

$host = "localhost"; 

$user = "user"; 

????: NamePros.com http://www.namepros.com/showthread.php?t=542007
$pass = "pass"; 

$db = "db"; 

 
// open the connection 

$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); 

     

// select which database to use.

mysql_select_db($db) or die ("Unable to select database!"); 

 
 
?>

This allows you to use the same database throughout the website. Also, I know you can create mysql objects, but I could never get them to work properly.

To finish it off, add this script to the top of whichever pages you want blocked.

PHP Code:

  <?php 

 
session_start(); 

if (!$_SESSION['auth'] == 1) { 

    // check if access permitted

    // display error and die

    echo "<div align=\"center\">ERROR: Unauthorized Access!<br>"; 

    die;

} 

else { 

?>

This is just what I use. If there is any security problems with this I would really like to know.

12-12-2008, 07:30 PM	THREAD STARTER #1 (permalink)
Cavemaneca New Member Join Date: Dec 2008 Posts: 3	[PHP] Basic Password Protected Area Mainly just a page I worked on to block access to specific pages on your site. Not very specific, and I am not %100 sure how secure it is though. It also isn't very compact. Note: This uses a MySQL database for storage of usernames and passwords. PHP Code: <html> <head></head> <body> <div align="center"> <?php session_start(); if ($_SESSION['auth'] == 1) { // check if authentication was performed echo 'You Are Already Logged In!'; } else { if (isset($_POST['name']) \|\| isset($_POST['pass'])) { // form has been submitted // check inputs for required values if (empty($_POST['name'])) { die ("ERROR: Please Enter Username!"); } if (empty($_POST['pass'])) { die ("ERROR: Please Enter Password!"); } // include database settings define('IN_SCRIPT',1); require_once('db_settings.inc.php'); $query = "SELECT * FROM users WHERE user = '" . $_POST['name'] . "'"; $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); if (mysql_num_rows($result) < 1) { die('ERROR: Incorrect Username!'); } else { $row = mysql_fetch_row($result); $salt = $row[1]; } // create query $query = "SELECT * FROM users WHERE user = '" . $_POST['name'] . "' AND pass = '".crypt($_POST['pass'], $salt)."'"; // execute query $result = mysql_query($query) or die ("Error in query: $query. " . mysql_error()); // see if any rows were returned if (mysql_num_rows($result) == 1) { // if a row was returned // authentication was successful // create session and set cookie with username $_SESSION['auth'] = 1; setcookie("username", $_POST['name'], time()+(8460030)); echo "Access Granted!"; } else { // authentication failed echo "ERROR: Incorrect Password!"; } // free result set memory and close db mysql_free_result($result); mysql_close($connection); } else { // no submission // display login form ?> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> ????: NamePros.com http://www.namepros.com/code/542007-php-basic-password-protected-area.html Username: <input type="text" name="name" value="<?php echo $_COOKIE['username']; ?>"> <p /> Password: <input type="password" name="pass"> <p /> <input type="submit" name="submit" value="Log In"> <?php } } ?> </div> </body> </html> And the db_settings.inc.php file looks like this. PHP Code: `<?php if (!defined('IN_SCRIPT')) {die('Unauthorized Access!*');} // set the variables used to connect $host = "localhost"; $user = "user"; ????: NamePros.com http://www.namepros.com/showthread.php?t=542007 $pass = "pass"; $db = "db"; // open the connection $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); // select which database to use. mysql_select_db($db) or die ("Unable to select database!"); ?>` This allows you to use the same database throughout the website. Also, I know you can create mysql objects, but I could never get them to work properly. To finish it off, add this script to the top of whichever pages you want blocked. PHP Code: `<?php session_start(); if (!$_SESSION['auth'] == 1) { // check if access permitted // display error and die echo "<div align=\"center\">ERROR: Unauthorized Access!<br>"; die; } else { ?>` This is just what I use. If there is any security problems with this I would really like to know.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)