tags:

views:

91

answers:

4
+2  Q: 

Password protect a page without db access with php

Is it possible to password protect a page without db access? I may have only few pages. But I should be able to change password and also save sessions etc. And I want a secure way as it's for production site!

How is it to store in a config.php after md5:

 <?php
 username="admin"; 
 password="1a1dc91c907325c69271ddf0c944bc72";
 ?>

If this is a good idea, is there a way to restrict access to this php from only one script called check.php or something?

+1  A: 

You could use HTTP authentication with PHP. Very good examples present in PHP-docu.

alopix  2010-08-04 05:16:30
+2  A: 

Sure, why not? You can use flat files in inaccessible directory (protected by .htaccess or out of the www root) and use that as a database.

Here's a simple login class I've whipped up:

class SimpleLogin {

    private $users;
    private $db = './pass.txt';

    function __construct() {
        $data = file_get_contents($this->db);

        if (!$data) {
           die('Can\'t open db');
        } else {
            $this->users = unserialize($data);
        }
    }

    function save() {
        if (file_put_contents($this->db, serialize($this->users)) === false)
            die('Couldn\'t save data');
    }

    function authenticate($user, $password) {
        return $this->users[$user] == $this->hash($password);
    }

    function addUser($user, $password) {
        $this->users[$user] = $this->hash($password);
        $this->save();
    }

    function removeUser($user) {
        unset($this->users[$user]);
        $this->save();
    }

    function userExists($user) {
        return array_key_exists($user, $this->users);
    }

    function userList() {
        return array_keys($this->users);
    }

    // you can change the hash function and salt here
    function hash($password) {
        $salt = 'jafo2ijr02jfsau02!)U(jf';
        return sha1($password . $salt);
    }

}

NOTE: You really should turn off error reporting if you are going to use this in an actual server. This can be done by calling error_reporting() or by adding '@' in front of file_get_contents and file_put_contents (ie: so it turns into @file_get_contents)

Usage example: http://left4churr.com/login/

NullUserException  2010-08-04 05:16:55
should this db file be a php or text?
esafwan  2010-08-04 05:45:29
Pure text. Note that it needs to be "initialized". Create an empty and put this in it: `a:0:{}`
NullUserException  2010-08-04 05:46:56
@esafwan most of all you must be concerned in protecting password file. that's most important thing for this implementation. the only thing that really needs a working example, unlike all these useless adduser methods.
Col. Shrapnel  2010-08-04 05:52:15
What's with the downvote?
NullUserException  2010-08-04 06:08:19
remove `@`'s from the code and I'll revert a downvote.
Col. Shrapnel  2010-08-04 06:21:12
What's wrong with error suppression? Especially in this case, you don't want to let `file_*_contents` tell someone where the password file is.
NullUserException  2010-08-04 06:29:29
Error suppression is suicide, if you ever happen to debug. If you don't want to tell something to **someone** - make it for someone. turn displaying errors off. but let programmer have error message
Col. Shrapnel  2010-08-04 06:32:34
Sorry for asking more... i created a file pass.txt with a:0:{} , then made a login.php with this in it, include('class.php');$login = new SimpleLogin();$login->addUser('safwan', 'password'); Just for learning your code. class.php has the class! But it doesnt seems to work. No error though!
esafwan  2010-08-04 06:40:56
@esafwan Have you tried my [demo](http://www.left4churr.com/login)?
NullUserException  2010-08-04 06:49:02
@Col Fair enough :)
NullUserException  2010-08-04 06:49:26
Worked Gr8!!! Thankyou very much!!! I'm working on a innovative concept, i'll update you once its done(if it works ;) )!
esafwan  2010-08-04 08:58:23
+2  A: 

You should use .htaccess to do that. You also can protect by .htaccess your sensible php files, with something like :

Order Allow,Deny
Deny from All
RC  2010-08-04 05:17:08
A: 

Actually a database have nothing to do with password protection.
you can write login and password directly in your script as well as keeping in in the database.

There is no need in restricting access to your php file. Being called over HTTP, it will be just blank page and nothing more.

So, it's all right to store it that way.
Quite enough for the site that even don't use a database.

Col. Shrapnel  2010-08-04 05:27:01

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL