Help from web developpers needed..

[Lionel Valdes]

Hello,

I have a web page on my website.

I want to block direct access to it (prevent people from accessing it just by typing its URL). I'm not an PHP expert, so I might need help on this.

For example: mydomain.com/secrets.php <-- I don't want users to be able to access it directly (just by typing the URL).

Thanks

EDIT: I will certainly need a PHP code for this, thank you once again.

[TheRock]

No need for a PHP code.
Just use an .htaccess / .htpasswd file on the folder directory (Aka "ftp root:/www"
Htaccess/Htpasswd info - Wikipedia

Other way is to make a server-wide configurated php file with an simple login. (Because if you do it with HTML and javascript, it will be client side and it will be no point since people will be actually able to find the password through the webpage source code.)

Make sure to use a robots.txt aswell to refrain from having google bots finding out about that php file/page

Hope this helps!

[Lionel Valdes]

No need for a PHP code.
Just use an .htaccess / .htpasswd file on the folder directory (Aka "ftp root:/www"
Htaccess/Htpasswd info - Wikipedia

Other way is to make a server-wide configurated php file with an simple login. (Because if you do it with HTML and javascript, it will be client side and it will be no point since people will be actually able to find the password through the webpage source code.)

Make sure to use a robots.txt aswell to refrain from having google bots finding out about that php file/page

Hope this helps!

I already have a php file, so don't worry about the security.

Your .htaccess suggestion is very smart, I will see what I can do.

[SugarD]

Remember that .htaccess won't always work. It all depends on what program you host your website with, or who your hosting company is. Make sure to check with the appropriate place first to ensure .htaccess files are supported. If they are, you generally should be good to go unless your hosting company blocks specific settings in these files. Generally though, if they allow .htaccess files, they won't usually block the settings needed to restrict access permissions.

If that method doesn't work out, you might also be able to restrict access based on FTP file/folder permissions. If you're using IIS, you may have to do it via one of their GUI settings, or through the webconfig file.

There are also many, many other ways to go about doing this.

[Teddy]

If you want a PHP only solution, here is something really makeshift, but should give you the right idea of how to work it

Code: [Select]

<?php

$_securePassword = "1234";

session_start();

if (isset($_GET['login']))
{
if ($_POST['password'] == $_securePassword)
{
$_SESSION['loggedin'] = true;
}
else
die ('<h1>That password was incorrect!</h1>');
}

if (isset($_GET['logout'])) session_destroy();

if (!isset($_SESSION['loggedin']))
{
// Style this as you wish

echo '<form action="./?login" method="POST">

<input type="password" name="password" />

<input type="submit" value="Login" />

</form>';

die();
}

/* * *\
* Your page bellow
\* * */
?>

<html>
<head>
<title>Working!</title>
</head>
<body>
<h1>It works!</h1>
</body>
</html>

Code: [Select]

$_securePassword = "1234";
Really ineffective, but in a simple system this will store what your password is.

Code: [Select]

if (isset($_GET['login']))
{
if ($_POST['password'] == $_securePassword)
{
$_SESSION['loggedin'] = true;
}
else
die ('<h1>That password was incorrect!</h1>');
}
This will execute if the ?login is in URL bar, it will look for the posted form data.

Code: [Select]

if (!isset($_SESSION['loggedin']))
{
// Style this as you wish

echo '<form action="./?login" method="POST">

<input type="password" name="password" />

<input type="submit" value="Login" />

</form>';

die();
}
This is your actual form for the login, you can use CSS to style this. Make sure you have the die() at the end as it'll prevent any further loading.


Like I said this is something that isn't really practical for proper deployment, a legitimate login system would take a lot more considerations. This was something I did in a minute. I hope it helps give you an idea of what you need tho :P

[Lionel Valdes]

Teddy, first of all thank you for replying, but that's not my request :p

I don't actually need the login script. This is a small schema to describe what I'm trying to do and what my website actually looks like:

www.domain/login.php -- user will have to enter certain information, if SUCCESS, it will lead him to success.php

www.domain/success.php -- if SUCCESS, user will be lead to this web page.



It can be abused, because a stranger could easily type www.domain/success.php and access my information without even doing the login process. Therefore I will be needing some sort of script to prevent this.

I hope this cleared out what I meant.

[Teddy]

Your saying you don't need a login script, but based on what you describe... you do :P

If you want the user to enter the information on one page, then load on another the same thing I have will work. You can use sessions across files. You can simply check on the top of success.php if  $_SESSION['loggedin'] is set, if it isn't redirect them to the login.php page, if it is then load the page.

[Lionel Valdes]

but login.php already has a login script, so I don't need one man :p

about the $_SESSION thing, could you explain more? Thanks.

[Teddy]

PHP sessions are basically server-side cookies for a user, it stores a session ID into the local users cookie then uses that ID to access server-side stored information about the user. As long as you have session_start() at the top of each PHP file you can access this server side information (per domain). This means in the login script you have in login.php you can set the session as logged in:

Code: [Select]

<?php
/*
 ...check login code here...
*/
$_SESSION['logged_in'] = true;

Then in success.php you'll have this at the top:

Code: [Select]

<?php

session_start();

if (!isset($_SESSION['loggedin'])) { header("Location: login.php"); die(); }


[TheRock]

Code: [Select]

<script language="javascript">
function check(form)
{
 if(form.pswrd.value == "1337superpasswordhere")
  {
    window.open('success.php')
  }
 else
 {
   alert("The password you entered appears to be invalid, please try again!")
  }
}
</script>
Anywhere in the page, and for the button;

Code: [Select]

<form name="login"><input type="password" name="pswrd"/>
<input type="button" onclick="check(this.form)" value="Login"/>
This is HTML - Javascript, it will work perfectly however since it's CLIENT-SIDE code, anyone will be available to see by seeing the page source code!
Teddy's script will also work perfectly, will run server-wide and password wont be accessed.

You can also do it, by following this easy guide here.

[Lionel Valdes]

For the 3rd time I don't need a login script :p


Anyways, Teddy's solution seem to function correctly, thanks Teddy!

[Marcel]

As this has been resolved, this thread is now closed.