Hello Michael! Welcome to PHP :-)
I'd suggest reading up on "sessions" and general security practices.
I'll try and give a brief overview of using PHP's session mechanism
to give some pages a little protection.
login.html
************************************
<form action='logincheck.php'>
<p>
Username: <input type='username' name='uname'>
<br>Password: <input type='password' name='pw'>
</p>
<input type='submit' value='login'>
</form>
logincheck.php
************************************
<?php
session_start(); // start the PHP session-handling mechanism.
if (!$_POST) { // they didn't submit a POST, so they don't belong here; send 'em back.
header("Location: http://www.mysite.com/login.html";);
exit;
} //end if
$username = filter_var ( $_POST['uname'], FILTER_SANITIZE_STRING );
$password = filter_var ( $_POST['pw'], FILTER_SANITIZE_STRING );
if ( $username = "Bob" && md5( $password ) = "BobsSecretPassphraseEncodedWithMD5" ) { // this would normally involve DB work
// to select the correct passphrase for
// the user "$username" and compare it
$_SESSION['logged_in'] = 1; // to the stored passphrase.
header("Location: http://www.mysite.com/secret_page.php";);
exit;
} else { // credentials check failed, send 'em back to login page.
header("Location: http://www.mysite.com/login.html";);
exit;
}
?>
secret_page.php
***************************************************
<?php
session_start();
if ( !$_SESSION['logged_in'] ) {
header("Location: http://www.mysite.com/login.html";);
exit;
}
// secret stuff goes below here.
Without writing a book, that's a start. Important things to note,
and to remember:
1. session_start() should be called FIRST in any page/script that
requires session support/functions. In order to keep your pages
"secure", you start a session and check for the presence of the
session variable "logged_in" (or whatever you want to call your
version of it).
2. Passwords should be encrypted in the storage medium (database
or file) and the user-supplied variable should be encrypted by your
login-checker prior to being checked against the stored password.
That's good security practice (there's plenty more, but it's a
basic truth for passphrases). Also, MD5 is *not* a good algorithm
for hashing passwords in this day and age; I just used it as an
example to try and give you an idea that hashing is important.
3. Filter *everything* that gets supplied by an end user. Make sure
that strings are strings and don't contain funny characters (like
HTML code, SQL statements, Hexadecimal, etc., etc.) This also has
to do with security and reams could be written about it. I used
filter_var() to demonstrate it was necessary; more thought should
really be put into this if it goes to "production".
Hope this helps,
Kevin Kinsey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
