views:

91

answers:

4

Is it possible to password protect a page without db access? I may have only few pages. But I should be able to change password and also save sessions etc. And I want a secure way as it's for production site!

How is it to store in a config.php after md5:

 <?php
 username="admin"; 
 password="1a1dc91c907325c69271ddf0c944bc72";
 ?>

If this is a good idea, is there a way to restrict access to this php from only one script called check.php or something?

+1  A: 

You could use HTTP authentication with PHP. Very good examples present in PHP-docu.

alopix
+2  A: 

Sure, why not? You can use flat files in inaccessible directory (protected by .htaccess or out of the www root) and use that as a database.

Here's a simple login class I've whipped up:

class SimpleLogin {

    private $users;
    private $db = './pass.txt';

    function __construct() {
        $data = file_get_contents($this->db);

        if (!$data) {
           die('Can\'t open db');
        } else {
            $this->users = unserialize($data);
        }
    }

    function save() {
        if (file_put_contents($this->db, serialize($this->users)) === false)
            die('Couldn\'t save data');
    }

    function authenticate($user, $password) {
        return $this->users[$user] == $this->hash($password);
    }

    function addUser($user, $password) {
        $this->users[$user] = $this->hash($password);
        $this->save();
    }

    function removeUser($user) {
        unset($this->users[$user]);
        $this->save();
    }

    function userExists($user) {
        return array_key_exists($user, $this->users);
    }

    function userList() {
        return array_keys($this->users);
    }

    // you can change the hash function and salt here
    function hash($password) {
        $salt = 'jafo2ijr02jfsau02!)U(jf';
        return sha1($password . $salt);
    }

}

NOTE: You really should turn off error reporting if you are going to use this in an actual server. This can be done by calling error_reporting() or by adding '@' in front of file_get_contents and file_put_contents (ie: so it turns into @file_get_contents)

Usage example: http://left4churr.com/login/

NullUserException
should this db file be a php or text?
esafwan
Pure text. Note that it needs to be "initialized". Create an empty and put this in it: `a:0:{}`
NullUserException
@esafwan most of all you must be concerned in protecting password file. that's most important thing for this implementation. the only thing that really needs a working example, unlike all these useless adduser methods.
Col. Shrapnel
What's with the downvote?
NullUserException
remove `@`'s from the code and I'll revert a downvote.
Col. Shrapnel
What's wrong with error suppression? Especially in this case, you don't want to let `file_*_contents` tell someone where the password file is.
NullUserException
Error suppression is suicide, if you ever happen to debug. If you don't want to tell something to **someone** - make it for someone. turn displaying errors off. but let programmer have error message
Col. Shrapnel
Sorry for asking more... i created a file pass.txt with a:0:{} , then made a login.php with this in it, include('class.php');$login = new SimpleLogin();$login->addUser('safwan', 'password'); Just for learning your code. class.php has the class! But it doesnt seems to work. No error though!
esafwan
@esafwan Have you tried my [demo](http://www.left4churr.com/login)?
NullUserException
@Col Fair enough :)
NullUserException
Worked Gr8!!! Thankyou very much!!! I'm working on a innovative concept, i'll update you once its done(if it works ;) )!
esafwan
+2  A: 

You should use .htaccess to do that. You also can protect by .htaccess your sensible php files, with something like :

Order Allow,Deny
Deny from All
RC
A: 

Actually a database have nothing to do with password protection.
you can write login and password directly in your script as well as keeping in in the database.

There is no need in restricting access to your php file. Being called over HTTP, it will be just blank page and nothing more.

So, it's all right to store it that way.
Quite enough for the site that even don't use a database.

Col. Shrapnel