Title may be a little misleading but I'll try to explain here.
Basically, when I put my website in 'offline mode' I have a section where admins can log in with a password. (They are not logging in with their accounts) The password is 'password' for this example. When a user types in the correct password, it should redirect them to the webpage, howvever it isn't, it's just echoing 'Incorrect password' - when it is in fact correct.
The code is made up by me, as you can probably tell. I expected this not to work because I'm still in the very early stages of learning PHP
HTML:
<div class="backdroplogin">
<h2>Login to your account:</h2>
<form action="/Offline" method="GET">
<input type ="password" name="password_login" size="25" Value="" />
<input type="submit" name="login" value="Login" />
</div>
</form>
PHP:
//ADMIN LOGIN
$password = "AbCd0987connekt£*^%";
if (isset($_GET["password_login"])) {
$password_login = $_GET["password_login"];
if ($password_login == $password) {
header("Location:/Admin/Panel");
} else {
echo "Incorrect password";
}
}
Thanks for any help.
Like Svetlio said.. It is a bad habit to send passwords using the get method. So instead use method="post" in your html form and $_POST["password_login"] in your php.
In your text you say you use "password" as the password for this tool, while in your php you check if the sent password is equal to "AbCd0987connekt£*^%", so if you put in your password you should use "AbCd0987connekt£*^%"... or did you mean you use "$password"
Just another tip: for readability ability of your code try to indent :)
You could verify that the password is correct and put a flag into a session variable. Then on the admin page do a check to see if that session flag is correct to access.
if($_SESSION['IsAdmin'] === true {
//load/redirect to page
} else {
die("You aren't an admin.");
}
Also, like others said - don't use GET for passwords, and definitely don't pass them as plaintext.
I agree with comment. But just to answer your question:
Everything is working all right in your script, but I think you have a confusion when says "The password is 'password' for this example, instead the password is exactly: AbCd0987connekt£*^% as you wrote it in your code. I copied your code in my platform (changed action) and it's working as you want.
Related
I'm building a small website where I'll be the only user (let say my credentials are "myuser" with the password "mypassword"). In the login page I have this simple form:
<form method="post">
<p>Username: <input type="text" name="usr"></p>
<p>Password: <input type="text" name="passwd"></p>
<p><input type="submit" value="Login"></p>
</form>
Is it safe to just validate the form like this?
// After checking if the request is POST...
if($_POST["usr"]=="myuser"&&$_POST["passwd"]=="mypassword") {
// Set the cookie and go to admin page...
} else {
// Show login error...
}
Or do I need to apply some security measure to the two $_POST variables (e.g. by filtering them with htmlspecialchars or something like that)? As you can see, the credentials are not saved in a database, and also these variables are never called anywhere else in the code, so I don't see any danger even if a malicious user attempts to hack the form with SQL Injection or XSS.
So, did I miss something? Is there any potential danger in leaving the code like that?
I think it is fine, you can add a hashe function & something to prevent a brute force attack to secure a little more. :)
(Sorry can't comment yet)
With php we can use mysql_real_scape_string(), this function have a parameter that modify a string deleting the special chars. This function returns a secure string, now we can execute this string into a SQL query.
I want to the page 'encryptionmachine1.php' to run a query against a database to ensure that the inputted password is correct. To keep things safe, I first want the page to encrypt the password that is inputted and then check against the database field 'EncryptedPasswords' to see if it exists. At the moment when I input a correct a password (number1) only the message 'pwd does not exists' displays. I am also using the md5() function to encrypt the passwords. Any help? Thanks Dan
<?php
if(isset($_POST['submit'])){
$str=$_POST['pwd'];
md5($str);
$dblink=mysql_connect("localhost","Dan");
mysql_select_db("Dan");
$rs=mysql_query("SELECT * FROM passwords WHERE EncryptedPassword='".$str."'");
if($row = mysql_fetch_assoc($rs)){
$dbPassword=$row['EncryptedPassword'];
echo "password exists";
header('Location:http://localhost/encryptionmachine2.php?pwd='.$str);//http://194.36.155.250/POO12104368/encryptionmachine2.php
}else{
echo"pwd does not exist";
}
}
?>
<html>
<head>
<title>EncryptionMachine1</title>
</head>
<body>
<form name="myForm" action="#" method="POST">
<p>Pwd:<input type="text" name="pwd"></p>
<input type="submit" value="Submit" name="submit">
</form>
</body>
</html>
There's a lot of things that need to be changed with your code to be secure. The most pressing two are:
You want to hash passwords, not encrypt them.
Furthermore, you want to use a password hashing function rather than a general-purpose hash function like MD5 (which is also insecure.
You want to use prepared statements.
This necessarily means stop using mysql_query() and mysql_fetch_assoc() in favor of PDO or mysqli.
I highly recommend starting with A Gentle Introduction to Application Security. It can seem like a lot, but I promise you this is manageable and you can do it.
Herroo everyone!
I am building a website for my dad. He is an accountant. We have Google calendars setup for him to take appointments. The website is just a pretty front page with three clickable images that link to different calenders. Two of the buttons are linked to employee calendars and are not password protected which is fine. We want new people to be able to sign up for them. My dad however is overbooked and needs his link password protected so he can give the password out to specific clients in order for them to make their appointments. He does not want see new people.
I can work with html and css but a total newb to PHP/MYSQL. I have been doing a lot of research and downloaded many tutorials/sample codes the past few days but I am still confused. This is what I've gotten so far after modifying some sample code. I set the password to be barney and do not require a user name and saved it as php1.php in a sub folder called protect. I remember reading somewhere that this well help with people bypassing the password.
<?php
$password = "barney";
if (md5($_POST['txtPassword']) != $password) {
?>
<h1>Login</h1>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><label for="txtpassword">Password:</label>
<br /><input type="password" title="Enter your password" name="txtPassword" /></p>
<p><input type="submit" name="Submit" value="Login" /></p>
</form>
<?php
}
after this I am stuck... I do not know how to apply this to my html page and attach it to the image/link. Any help is much appreciated! Thanks so much!!
The obvious problem here is that you are comparing your password $password to an md5 version of the submitted password. They will be different and so you will always be shown the login form.
Replace with
<?php
$password = "barney";
if ($_POST['txtPassword'] != $password) {
?>Login form here<?php
} else {
?>Restricted access here<?php
}
But then you should keep in mind that such a scheme remains bad practice and low-security:
the password is stored in plain-text
you don't check how many
attempts a user makes to retrieve the password (see brute-force
attacks)
...
if you don't want to use the PHP file you could always modify the .htaccess file if it is available to you.
here is a quick how-to:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
here is more detailed info:
http://www.javascriptkit.com/howto/htaccess3.shtml
Suppose a user inputs his/her username and password and clicks on the submit button, which utilizes $_POST method on the form. To log in successfully, obviously the username and password have to match what's in my mysql database, which is done through a series of "if" statements. The form and "if" statements have to lie within the html tags to display the correct error messages if the credentials are wrong. After the username and password successfully satisfy all of the "if" statements, which are located within the html tags, I obviously want to set a cookie. However, I can't set a cookie within the html tags.
/*setcook() function can ONLY be placed HERE before the <html> tags, but that does not work with my php code*/
<html>
<head><title></title><body>
<?php
if (isset($_POST['username']) OR isset($_POST['password']))
{
/*bunch of "if" statements go here to confirm the credentials are correct and match what's in the database. if the username and password are correct, all of the "if" statements here are passed, and then i WANT to set a cookie HERE so the user is logged in but i can't*/
}
else echo <<<_END
<form action="login.php" method="post">
Username: <input type="text" name="username"/>
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />"; //this is the form that the user fills out and submits
</form>
_END;
?>
</body>
</html>
HOWEVER, the setcookie() function only works BEFORE the html tag. How can I set a cookie AFTER all the username and password credentials are verified in my PHP code that lies inside the html tags?
You shouldn't be putting logic like this mixed in with your HTML. Put all of your PHP to validate credentials before any output is sent. Then, you can set any cookies you want.
The reason you can't set the cookie later is that cookies are set as part of headers, which are done being sent by the time output begins. You could work around this by enabling output buffering... but don't do it. It's bad practice, isn't always enabled on other servers, and has the potential to slow things down a hair.
I also recommend using PHP sessions. If you do, you can set data in them anywhere you want, as the data is stored server-side. You just have to be sure to start your session right off the bat, so that the cookie is set and the session data is available to your applicatoin.
We have script http://site.com/ourscript.php
How to add something like "enter password" block on that page?
Just some simple, maybe popup.
Like, we open the page in browser, we should type password, if its ok - function will run.
It has to be done only inside requested php file, .htaccess should not be used.
Thanks.
This is about as simple as it gets:
<html>
<body>
<?php if (isset($_POST['secret']) && $_POST['secret'] == "lolsecurity") { ?>
<h1>Secret Page!</h1>
<p>This type of password-protection is completely open to packet sniffing.</p>
<?php } else { ?>
<form method="POST">
<p>Enter Password:</p>
<input type="password" name="secret">
<input type="submit" value="Submit">
</form>
<?php } ?>
</body>
</html>
Here's a tutorial for a basic authentication system. I'm sure if you spend two minutes googling, you'll find about a million pre-made, ready-to-go PHP login systems.
If you want to create your own, authenticating a user generally requires the following:
First set up a users table in your database where you store valid usernames and their passwords (as well as any other pertinent user information). Passwords should not be stored in plain text, but should generally be salted and hashed.
Add a login form to your application. When a user successfully logs in (which you can determine by taking the given password, salting and hashing it as above, and comparing it to the value in the database), use cookies or session to keep track of a login token.
On each page requiring authentication, the login token should be verified. If an invalid login token or no login token is given, redirect to the login form.