Jump to content

How to protect each php page with a login page


Go to solution Solved by cainam29,

Recommended Posts

how can i protect my PHP page such that when a user just types the entire link on a browser, they will be re-directed to the login page?

 

here is my login.php code:

<?php

$host="*****"; // Host name 
$username="*****"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="*****"; // Database name 
$tbl_name="*****"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername = mysql_real_escape_string ($_POST['myusername']); 
$mypassword = mysql_real_escape_string ($_POST['mypassword']); 
$myusername = stripslashes ($_POST['myusername']);
$mypassword = stripslashes ($_POST['mypassword']);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

session_start();
$_SESSION['login'] = "1";
header("location:admin/infratools.php");
}
else {
echo "Wrong Username or Password";
session_start();
$_SESSION['login'] = '';
}
?>

here is my main page which has all the other links to all my php pages:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Infra Tool</title>
<link rel="stylesheet" href="style.css" />

</head>

<body class="oneColFixCtrHdr" onload="document.form1.myusername.focus();">

<div id="container">
<div id="header" style="background-color:#7BD12E">
<h1 align="Center" style="color:#FFF; font-family: Arial, Helvetica, sans-serif;">PROV InfraTools </h1>
<!-- end #header --></div>
<div id="mainContent">
<p> </p>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td colspan="2" align="center">
<form id="form1" name="form1" method="post" action="checklogin.php">
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td> </td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center"><a href="tickettracker.php">Ticket Uploader</a></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center"><a href="raptool.php">RAP Tool</a></td>
</tr>
<tr bgcolor="#FFFFFF">
<td> </td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center"><a href="login/add_user.php">Add User</a></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center"><a href="login/logout.php">Logout</a></td>
</tr>
</table>
</form></td>
</table>
<p> </p>
<!-- end #mainContent -->
</div>
<p align="center"> </p>
<div id="footer" style="background-color:#7BD12E">
<p style="color:#FFF"></p>
<!-- end #footer --></div>
<!-- end #container --></div>
</body>
</html>

You would put the test and header in each page that you are afraid of people bypassing security by typing in the url directly to the page.

 

BTW - what is this doing:

 

// username and password sent from form

$myusername = mysql_real_escape_string ($_POST['myusername']);

$mypassword = mysql_real_escape_string ($_POST['mypassword']);

$myusername = stripslashes ($_POST['myusername']);

$mypassword = stripslashes ($_POST['mypassword']);

 

You've protected yourself from injection with the first two lines, but then you are removing non-existent slashes in the last two lines.  Basically you use the first two when using the fields in  a query, and when storing in your db.  You would use the last two lines when you take already "sanitized" data from your db and are showing it to the user again.  Not both at the same time!

i've marked it again as unresolved coz its not working on a page that is linked to my main page, for example, after i login i'll be redirected to main page, now under my main page i'll click on a link, lets say

<tr bgcolor="#FFFFFF">
<td align="center"><a href="tickettracker.php">Ticket Uploader</a></td>
</tr>

now this tickettracker.php has other links inside it and in all those links i have put the code below to protect them, but every time i click on them i am now redirected to the login page again.

<?PHP
session_start();
session_destroy();
if (!(isset($_SESSION['login']) && $_SESSION['login'] != '')) {
	header ("Location: infralogin.php");
}

?>

this code works perfectly that when i try to access the page directly im being routed to the login page but that is also whats happening when i click those links after i have already logged in.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.