Herroo everyone!
I am building a website for my dad. He is an accountant. We have Google calendars setup for him to take appointments. The website is just a pretty front page with three clickable images that link to different calenders. Two of the buttons are linked to employee calendars and are not password protected which is fine. We want new people to be able to sign up for them. My dad however is overbooked and needs his link password protected so he can give the password out to specific clients in order for them to make their appointments. He does not want see new people.
I can work with html and css but a total newb to PHP/MYSQL. I have been doing a lot of research and downloaded many tutorials/sample codes the past few days but I am still confused. This is what I've gotten so far after modifying some sample code. I set the password to be barney and do not require a user name and saved it as php1.php in a sub folder called protect. I remember reading somewhere that this well help with people bypassing the password.
<?php
$password = "barney";
if (md5($_POST['txtPassword']) != $password) {
?>
<h1>Login</h1>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><label for="txtpassword">Password:</label>
<br /><input type="password" title="Enter your password" name="txtPassword" /></p>
<p><input type="submit" name="Submit" value="Login" /></p>
</form>
<?php
}
after this I am stuck... I do not know how to apply this to my html page and attach it to the image/link. Any help is much appreciated! Thanks so much!!
The obvious problem here is that you are comparing your password $password to an md5 version of the submitted password. They will be different and so you will always be shown the login form.
Replace with
<?php
$password = "barney";
if ($_POST['txtPassword'] != $password) {
?>Login form here<?php
} else {
?>Restricted access here<?php
}
But then you should keep in mind that such a scheme remains bad practice and low-security:
the password is stored in plain-text
you don't check how many
attempts a user makes to retrieve the password (see brute-force
attacks)
...
if you don't want to use the PHP file you could always modify the .htaccess file if it is available to you.
here is a quick how-to:
http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/
here is more detailed info:
http://www.javascriptkit.com/howto/htaccess3.shtml
Related
I have built a website that uses HTML, CSS, PHP and MySQL. The purpose of the website is to allow students to build a word bank. The data is sent and stored in a MySQL database via PHP/HTML forms. The information is displayed using HTML/CSS/PHP.
I haven't experienced any problems with the system UNTIL the children have been accessing it in school, using iPads to access/explore the website.
The problem I'm having is simple (and also infuriating!): sometimes the children can't login to the website - every time they press the 'login' form submit button, the form 'refuses' to be submitted (returning them to the same login page, as if it had just been refreshed). The same problem also occurs when they're trying to upload a word to the database - the form submit button 'refuses' to submit the data.
Basically: the submit buttons can be 'clicked', but they don't do what they're supposed to do.
Here's the code that I've written for the login system:
<?php
if($_POST){
if(login( $_POST['user'],$_POST['pass']) ){
echo "<a href=index.php>Continue.</a>";
$_SESSION['user'] = strtolower($_POST['user']);
} else { }
} else {
?>
Please login
<form method="POST">
<input type="text" name="user" value="Username">
<br />
<input type="password" name="pass" value="Password">
<br />
<input type="submit" name="login" value="Login">
</form>
<?php
}
?>
I'm not really sure what the problem could be - I'd guess (and almost hope) that it's a problem with my code (my use of sessions, maybe?) - but if it was, then why does the system work fine sometimes, and then at other times so inconsistently? Is it a problem related to iPads?
I hope I've made myself clear enough for any helpful suggestions.
You should use session_start function to start or resume exist session.
Just append a session_start function at the begin of your code.
<?php
session_start();
if($_POST){
Title may be a little misleading but I'll try to explain here.
Basically, when I put my website in 'offline mode' I have a section where admins can log in with a password. (They are not logging in with their accounts) The password is 'password' for this example. When a user types in the correct password, it should redirect them to the webpage, howvever it isn't, it's just echoing 'Incorrect password' - when it is in fact correct.
The code is made up by me, as you can probably tell. I expected this not to work because I'm still in the very early stages of learning PHP
HTML:
<div class="backdroplogin">
<h2>Login to your account:</h2>
<form action="/Offline" method="GET">
<input type ="password" name="password_login" size="25" Value="" />
<input type="submit" name="login" value="Login" />
</div>
</form>
PHP:
//ADMIN LOGIN
$password = "AbCd0987connekt£*^%";
if (isset($_GET["password_login"])) {
$password_login = $_GET["password_login"];
if ($password_login == $password) {
header("Location:/Admin/Panel");
} else {
echo "Incorrect password";
}
}
Thanks for any help.
Like Svetlio said.. It is a bad habit to send passwords using the get method. So instead use method="post" in your html form and $_POST["password_login"] in your php.
In your text you say you use "password" as the password for this tool, while in your php you check if the sent password is equal to "AbCd0987connekt£*^%", so if you put in your password you should use "AbCd0987connekt£*^%"... or did you mean you use "$password"
Just another tip: for readability ability of your code try to indent :)
You could verify that the password is correct and put a flag into a session variable. Then on the admin page do a check to see if that session flag is correct to access.
if($_SESSION['IsAdmin'] === true {
//load/redirect to page
} else {
die("You aren't an admin.");
}
Also, like others said - don't use GET for passwords, and definitely don't pass them as plaintext.
I agree with comment. But just to answer your question:
Everything is working all right in your script, but I think you have a confusion when says "The password is 'password' for this example, instead the password is exactly: AbCd0987connekt£*^% as you wrote it in your code. I copied your code in my platform (changed action) and it's working as you want.
I am trying to implement a user login system for my website. I have a newMember.html file that has a form like this:
<form method="post" action="nameValidation.php">
<p>Username:</p>
<input type="text" name"user" required>
<input name="submitButton" type="submit" value="Create account"/>
</form>
inside nameValidation, I check if the username is available. If it's not, i want some way to show a red text next to my input field where you type in your username. I tried something like this, but got a server error:
(inside nameValidation.php)
<?php
//connect to database, check the value of the username to see if it exists
if (username already exists) {
//keep the page that i had the way it was,
//just add a red sentence saying "username is already taken"
}
else {
//tell the user he was successful in making an account,
//and redirect him to my login page (already implemented)
}
?>
I didn't want to use inline php for two reasons.
1) it looks cluttered and confusing (at least to me)
2) I read in other stackoverflow posts that it's not good practice.
I will use inline php if i have to, but any and all help will be greatly appreciated!
Use a web framework like CakePHP, Laravel, Symfony or any other framework that suits you.
A PHP framework uses templates to accommodate dynamic pages. They usually allow special shortcuts in your code, so that you do not have to write any 'inline PHP'.
This is the MVC (Model View Controller) mentality: the controllers control the actual data being used in your view, and not the view.
Enough about web frameworks.
To answer your question, first rename your file to end in .php, to show that the file contains PHP.
Next, edit the code such that it checks if a user exists. The most beautiful inline PHP code gets created by doing all the work at the top of the page, and using the generated data in the page itself.
So, for your HTML:
<?php
/* For example: */
$username = $_POST['username'];
$db = new DB(/* ... */);
$userNameExists = $db -> userNameExists ($username);
?>
<!-- The rest of the code of the page -->
<form method="post" action="nameValidation.php">
<p>Username:</p>
<input type="text" name"user" required value="<?php echo $username; ?>"><?php echo $userNameExists ? '<span class="error">Username already exists</span>' : '' ?>
<input name="submitButton" type="submit" value="Create account"/>
</form>
I'm quite new in this PHP programming and already tried looking my issue at this forum but no success.
I have build a simple webform using PHP and stuck when trying to edit form. My form consist of below
register html form - basicallly user fill in the form and hit submit. the form will then go to register.php
Register.php - all the field store at database and I also display the form using the SESSION (not call from database) in this page.
Here is my problem start. At the dispay(register.php) I want allow user to edit his/her information and submit again(which i think use update query base on ID). But I truly don't know how to do this.
Can someone advice me or give some simple code for this so that I can have clearer view?
you also must strip slashes for avoiding Sql injection
In previous pages you must store the username from textbox of login
Something like this:
session_start();
$_SESSION['username']=$_POST['input of login txtbox'];
you can just get the condition with user cause you have just one unique user 2 users mustn't have the same user name then just store the username of them in $_SESSION
$connection=Mysql_connect('server','user','pass');
if(array_key_exists('sub2',$_POST))
{
if(!$connection)
{
echo 'connection is invalid';
}
else
{
Mysql_select_db('Your DB',$connection);
$pas=$_POST['pass1'];
$username=$_POST['username'];
$pas=mysql_escape_string($pas);
$username=mysql_escape_string($username);
$query="update user set user='$username'and pass=password('$pas') where username='".$_SESSION['username'].";
//some code
}
in your form:
<p><b>User Name:</b><input type="text" name="username" />
<p><b>Password:</b><input type="password" name="pass1" />
<input type="submit" name="sub2" value="update"/>
use this site for secure your code
We have script http://site.com/ourscript.php
How to add something like "enter password" block on that page?
Just some simple, maybe popup.
Like, we open the page in browser, we should type password, if its ok - function will run.
It has to be done only inside requested php file, .htaccess should not be used.
Thanks.
This is about as simple as it gets:
<html>
<body>
<?php if (isset($_POST['secret']) && $_POST['secret'] == "lolsecurity") { ?>
<h1>Secret Page!</h1>
<p>This type of password-protection is completely open to packet sniffing.</p>
<?php } else { ?>
<form method="POST">
<p>Enter Password:</p>
<input type="password" name="secret">
<input type="submit" value="Submit">
</form>
<?php } ?>
</body>
</html>
Here's a tutorial for a basic authentication system. I'm sure if you spend two minutes googling, you'll find about a million pre-made, ready-to-go PHP login systems.
If you want to create your own, authenticating a user generally requires the following:
First set up a users table in your database where you store valid usernames and their passwords (as well as any other pertinent user information). Passwords should not be stored in plain text, but should generally be salted and hashed.
Add a login form to your application. When a user successfully logs in (which you can determine by taking the given password, salting and hashing it as above, and comparing it to the value in the database), use cookies or session to keep track of a login token.
On each page requiring authentication, the login token should be verified. If an invalid login token or no login token is given, redirect to the login form.