Leadwing Posted April 17, 2008 Share Posted April 17, 2008 Hi there, I have an admin section to my website, where you are required to provide a username and password, and retrieves the username and password from a database. My questions are: 1. How do I make the following pages innacessible without logging in first? Would a simple session work? 2. Surely someone could just download the files from my website and find out the username and password required to access the database? This is the same for other parts of the site, in the PHP code I specify my username and password to access a database... Surely this is very insecure? Thanks Quote Link to comment Share on other sites More sharing options...
pixelgirl Posted April 17, 2008 Share Posted April 17, 2008 There is a very useful guide http://www.php-mysql-tutorial.com/user-authentication/index.php which shows you how to authenticate users using usernames and passwords from a database and sessions. I have used it for user login on my site, and have found it extremely helpful. Im not sure about the second question as I am not particularly knowledgeable about security, but the above link should point you in the right direction. Quote Link to comment Share on other sites More sharing options...
mwasif Posted April 17, 2008 Share Posted April 17, 2008 encrypt such files with Zend or ioncube. How many people have access to PHP files? Quote Link to comment Share on other sites More sharing options...
tinker Posted April 17, 2008 Share Posted April 17, 2008 [NOT IN ORDER?] a) All PHP files served by a server should get processed by the PHP interpreter and will only display any HTML (etc) that the PHP code outputs. So technically no people can't just download your PHP pages. b) Once you have some kind of system to login, then you use some logic like this: if($logged_in==1) { print "Hi user"; } else { print "Who the f are you?"; } Quote Link to comment Share on other sites More sharing options...
Leadwing Posted April 17, 2008 Author Share Posted April 17, 2008 Thanks guys that very helpful! I'm aware it only displays HTML, its just I thought there was software one could get which litterally just downloads all the html files, php files, jpgs, etc. Am i wrong? Thanks for the help though guys Quote Link to comment Share on other sites More sharing options...
tinker Posted April 18, 2008 Share Posted April 18, 2008 When you view or save a page, it may have the '.php' extension or the like, but that page should have been parsed by the server and contain no php, if there is it's either because the server is setup incorrectly or the code is buggy. A web browser simply downloads a page, then scans it for any resource links it may contain (images, frame links, rss feed, adverts, etc) and also downloads them, then it renders it. Quote Link to comment Share on other sites More sharing options...
gluck Posted April 19, 2008 Share Posted April 19, 2008 Someone can't download the php files without hacking or getting the credentials of your server. If you are worried about you page source then you can also encrypt the display. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.