ansaurus

Question

php - unlink with username and password?

Answer 1

+6 A:

If you're using Apache, take a look at htaccess passwords. That's probably the simplest method.

Amber 2010-07-26 02:24:19

Note that for unlink() to work, php needs to have sufficient permissions to write to the file.

NullUserException 2010-07-26 02:35:13

Kenneth 2010-07-26 02:37:23

Kenneth: Perhaps individual `.htaccess` files are disabled for your web directory? Do you have access to the apache configuration file?

Amber 2010-07-26 02:44:56

yep i have full access to everything

Kenneth 2010-07-26 02:49:17

oo ok somehow it works now , im getting an access forbiden !error 403 page. so what should i type in browser now to input the username and password

Kenneth 2010-07-26 03:01:37

If it's set up properly, it should prompt you.

Amber 2010-07-26 03:05:49

Answer 2

+2 A:

If you want the protection in PHP, you'll need to place the unlink code inside a conditional block:

if(ok_to_delete())
{
    # unlink code
}

That function might look like this:

function ok_to_delete()
{
    # hash of your password
    if('d0be2dc421be4fcd0172e5afceea3970e2f3d940' == sha1($_POST['delete_password']))
    {
        return true;
    }
    else
    {
        return false;
    }
}

And the form:

<form action="delete.php" method="post">
    <input type="password" name="delete_password" />
    <input type="submit" value="Delete Something" />
</form>

Putting unlink() in a conditional block prevents it from being arbitrarily executed by some other means (run from command-line, included in another file, etc.).

There are myriad ways to write the ok_to_delete() function, of course. If you're curious you might poke around on Google, or check out an open source project.

For a full-blown user auth system, there are a lot of concerns regarding security (using https, whether the form can be exploited, whether you can delete arbitrary files, whether passwords are secure, etc.).

For something simple like deleting some cache files, the example code may suffice.

Refs:

banzaimonkey 2010-07-26 02:47:31

what if i were to access the php file via http? im thinking the form might not be the solution for me. so is there anyway to put variables for checking via http? somethinglike http://localhost/delete.php?var=somethingsomething? then what would the code in delete.php be like?

Kenneth 2010-07-26 02:55:18

The form and `$_POST` var will accomplish just that, via http (or https). The reason you do not want to use the `$_GET` var and URL / query parameter as you described is that it could easily be read out of your browser history, or perhaps by a search engine, and anyone would be able to run the php script simply by visiting that URL.

banzaimonkey 2010-07-26 03:03:32

ok. few questions tho. 1)where should i put the form code in? a phpfile? 2)im actually creating a iPad application (which doesn't save any history infomation )to URL http the file so i dont think it will be somewhat risky. So how should i code the php file then and what should i type in the browser

Kenneth 2010-07-26 03:11:52

A full script might look like this: http://pastebin.com/DzJGbA67 Still need to add in your delete code. You'd simply view the script as a webpage to use it.

banzaimonkey 2010-07-26 03:43:15

cool. but i would like to know how to do the URL/ query parameter method though.

Kenneth 2010-07-26 03:55:06

`blah.php?param=value` is accessed via `$_GET['param']`: http://php.net/manual/en/reserved.variables.get.php

banzaimonkey 2010-07-26 04:14:40

ok great. thx!!!

Kenneth 2010-07-26 04:19:03

ansaurus

tags:

views:

answers:

php - unlink with username and password?

Refs:

related questions