Danny620 Posted December 2, 2015 Share Posted December 2, 2015 Hi, I have a few wordpress websites that I host for my clients because of the number of attacks they have been receiving lately I have implemented a .htaccess file to block any ip address that's not in the whitelist, the problem I face is everytime the client moves from location to location or there ip address changes I have to update the .htaccess file with there new ip. I'm trying to build a script where they can access a url with a key in and submit there new ip address the php script would then read the .htaccess and add the new ip, however the 'echos' in the file seem not to be echoing any information to screen and I'm faced with a blank white screen can anyone give me any ideas on how to do this or have alook at the script below I have wrote. <?php if (isset($_GET('key')) && $_GET('key') = '78J89ke93k93HJ883j003') { $htaccess = '.htaccess'; //read the entire file $str = file_get_contents($htaccess); //delete deny from all from file $str = str_replace('deny from all', '', $str); $ip = 'allow from ' . $_get('ip'); //'allow from 92.27.111.112'; $str .= $ip; //re add deny from all to end of file $str .= "\n" . 'deny from all'; if(file_put_contents($htaccess, $str)){ echo 'IP ' . $ip . ' Added to .htaccess file'; } } else { echo 'Invalid Key'; } ?> Quote Link to comment Share on other sites More sharing options...
Psycho Posted December 2, 2015 Share Posted December 2, 2015 (edited) Why not keep the IPs in a database. Then when a change is submitted you can just overwrite the existing file. Otherwise, you could end up with duplicates. Otherwise you would have to parse the current file to check for duplicates. Anyway, there is no error handling in your current script. You should start there to check file_exists() (can PHP see the file), that it could open the file, etc. EDIT: I see the problem (or at least one of them). The IF statement is checking the "variable": $_GET('key') I would think that would generate an error since the "function" $_GET() does not exist. Edited December 2, 2015 by Psycho Quote Link to comment Share on other sites More sharing options...
Psycho Posted December 2, 2015 Share Posted December 2, 2015 (edited) Try this. <?php //Verify proper key passed if (!isset($_GET['key']) || $_GET['key'] != '78J89ke93k93HJ883j003') { echo 'Invalid Key'; exit(); } //Define file to edit $htaccess = '.htaccess'; //read the entire file $contents = file_get_contents($htaccess, false); //Verify that contents were read if(!$contents) { echo "Unable to read {$htaccess} file"; exit(); } //Get current IP of user $ip = $_SERVER['REMOTE_ADDR']; //'allow from 92.27.111.112'; //Check if IP already exists if(strpos($contents, $ip)) { echo "The IP {$ip} already exists in {$htaccess} file"; exit(); } //Add new IP to contents (assumes 'deny from all' exists in file) $contents = str_replace('deny from all', "allow from {$ip}" . PHP_EOL . "deny from all", $contents); //Replace the contents of the file if(!file_put_contents($htaccess, $contents)) { echo "Error updating {$htaccess} file"; exit(); } echo "IP {$ip} added to {$htaccess} file"; ?> Edit: I just realized that this may not work as written. I wrote it with the intent that the script above would be accessible to any IP addresses. If you have the script in the same folder as the htaccess file, then how would the user ever be able to make a change? They would have to access the page from an IP that is not restricted. So, I would suggest hosting this page in another locaiton. Edited December 2, 2015 by Psycho Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted December 2, 2015 Share Posted December 2, 2015 I suspect the reason you are only seeing a blank page is because of the errors Psycho pointed out, and the fact that you have error reporting turned off. See this page for instructions on how to turn them on: http://php.net/manual/en/function.error-reporting.php Obviously, in a production environment you probably want to turn error reporting off, or log them in some way so as to not show your users the errors while still being able to track them. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 2, 2015 Share Posted December 2, 2015 The whole IP submission procedure is nonsensical and insecure. What you actually have there is password-based authentication, implemented in a very weird way. Whoever knows the hard-coded “key” can add their IP to the .htaccess file and gain access to the site. So why not drop the whole IP stuff and simply force the user the enter a predefined password? This can be implemented with HTTP Basic Authentication. All you have to do is set up a password database (usually a file called “htpasswd”). When a user initially visits the site, they're asked for the password. After the password has been verified, it's cached for subsequent requests so that the user doesn't have to repeat it. It's also possible to implement passwordless authentication using public-key cryptography, but this might be too advanced for your case. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.