Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How is the setup scenario to protect a php file with php? |
|
| Author |
|
asdfgqw
Joined: 21 Jan 2007
Posts: 12
|
 Posted: Wed 24 Jan '07 1:18 Post subject: How is the setup scenario to protect a php file with php? |
 |
|
I am just reading through this forum. There is an old post http://www.apachelounge.com/viewtopic.php?p=3056#3056 and a user quotes a php script instead of a htaccess file to protect another file via auth.
| James Blond wrote: | | Phizz wrote: | was using frames to try and protect the pages. Drats  I'm such an amateur. |
Frames do never protect. I don't know how, but If you make a bookmark with IE from a pages with frames IE also remember the URL from the frame you made the bookmark. That is a bit confusing, because in the bookmark is only the url from the top page.
Very easy to protect your page would be a .htaccess file.
Or making the auth with PHP.
| Code: |
<?php
//for php5 compability
$PHP_AUTH_USER=$_SERVER['PHP_AUTH_USER'];
$PHP_AUTH_PW=$_SERVER['PHP_AUTH_PW'];
//
$users = array(
"user"=>"password",
"anonyme"=>"devine"
);
$auth_text = "You are not allowed to go here!";
if(!(empty($PHP_AUTH_USER) || empty($PHP_AUTH_PW)) && $PHP_AUTH_PW==$users[$PHP_AUTH_USER]){
include("hiddenpage.php"); //here the protected page
}
else{
header("www-authenticate: basic realm=\"$auth_text\"");
header("http/1.0 401 unauthorized");
}
?>
|
I hope this is easy enough for you.  |
I will not use this scenario but i am interested how this will be setup.
The hiddenpage.php is protected how (on Windows)?
The protect.php ist procteed how or is this the index.php?
I mean i know how to setup this with a htaccess file, but how is this done with php files and how secure is this? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 24 Jan '07 10:34 Post subject: |
|
|
Hello asdfgqw,
that script can be an index.php (easiest way). This is only faking an auth. You could http://whatever/hiddenpage.php and there won't be an auth.
How to do this with .htaccess? Use the forum search, there are a lot of posts with that.
The security from that script is, if you name it index.php, the user will never know that there is a hiddenpage.php. |
|
| Back to top |
|
Brian
Joined: 21 Oct 2005
Posts: 209
Location: Puyallup, WA USA
|
| Posted: Thu 01 Feb '07 23:30 Post subject: |
|
|
This method of invoking security via a PHP script is simply sending the same (essentially) headers that your Apache server would send if it were seeking authentication.
But unlike the server, PHP is only going to invoke these headers if that page loads. Assuming for example that you have a bunch of files, even images let us say, in a directory, if you do not .htaccess it but you do "htaccess" a PHP script (my term when you use this type of authentication via PHP and headers), then you are protecting that script or any subsequent script that calls upon this script. You are not by extension automatically protecting any other scripts or files in that directory tree. |
|
| Back to top |
|
|
|
|
|
|
