logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



How is the setup scenario to protect a php file with php?

 
Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner



View previous topic :: View next topic  
Author Message
asdfgqw



Joined: 21 Jan 2007
Posts: 12

PostPosted: Wed 24 Jan '07 1:18    Post subject: How is the setup scenario to protect a php file with php? Reply with quote

I am just reading through this forum. There is an old post http://www.apachelounge.com/viewtopic.php?p=3056#3056 and a user quotes a php script instead of a htaccess file to protect another file via auth.

James Blond wrote:
Phizz wrote:
was using frames to try and protect the pages. Drats Exclamation I'm such an amateur.

Frames do never protect. I don't know how, but If you make a bookmark with IE from a pages with frames IE also remember the URL from the frame you made the bookmark. That is a bit confusing, because in the bookmark is only the url from the top page.
Very easy to protect your page would be a .htaccess file.
Or making the auth with PHP.

Code:

<?php
//for php5 compability
$PHP_AUTH_USER=$_SERVER['PHP_AUTH_USER'];
$PHP_AUTH_PW=$_SERVER['PHP_AUTH_PW'];
//

$users = array(
      "user"=>"password",
      "anonyme"=>"devine"
   );

   $auth_text = "You are not allowed to go here!";

   if(!(empty($PHP_AUTH_USER) || empty($PHP_AUTH_PW)) && $PHP_AUTH_PW==$users[$PHP_AUTH_USER]){
                  include("hiddenpage.php"); //here the protected page
   }
   else{
      header("www-authenticate: basic realm=\"$auth_text\"");
      header("http/1.0 401 unauthorized");
   }
?>

I hope this is easy enough for you. Rolling Eyes


I will not use this scenario but i am interested how this will be setup.

The hiddenpage.php is protected how (on Windows)?
The protect.php ist procteed how or is this the index.php?

I mean i know how to setup this with a htaccess file, but how is this done with php files and how secure is this?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Jan '07 10:34    Post subject: Reply with quote

Hello asdfgqw,
that script can be an index.php (easiest way). This is only faking an auth. You could http://whatever/hiddenpage.php and there won't be an auth.

How to do this with .htaccess? Use the forum search, there are a lot of posts with that.

The security from that script is, if you name it index.php, the user will never know that there is a hiddenpage.php.
Back to top
Brian



Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA

PostPosted: Thu 01 Feb '07 23:30    Post subject: Reply with quote

This method of invoking security via a PHP script is simply sending the same (essentially) headers that your Apache server would send if it were seeking authentication.

But unlike the server, PHP is only going to invoke these headers if that page loads. Assuming for example that you have a bunch of files, even images let us say, in a directory, if you do not .htaccess it but you do "htaccess" a PHP script (my term when you use this type of authentication via PHP and headers), then you are protecting that script or any subsequent script that calls upon this script. You are not by extension automatically protecting any other scripts or files in that directory tree.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner
Page 1 of 1