cearlp Posted August 28 Share Posted August 28 Is an error obvious in the following code. It worked okay until just recently. Could a Ubuntu update to 22.04 have changed something i neew to change in the PHP coding? body { font-family: Georgia, "Times New Roman", Times, serif; color: maroon; background-color: #daa520 } h2 { padding-left: 8em } p { font-size: 13.5pt; text-indent: 5em } a:link { color:blue; text-decoration: none } a:visited { color:purple; text-decoration: none } </style> <script language=javascript> function Validate() { if (document.form1.password.value == "fredpeabody") { window.location="<?php echo 'sxdisp.php'; ?>"; return(false); } else { window.location="<?php echo 'sxdispunprotect.php'; ?>"; return(false); } } </script> </head> <body onLoad="self.focus();document.form1.password.focus()" > <div id="main-content"> <p> Enter the Password to search and display all the information on the Sigma Database. </p> <p> Otherwise only the unprotected information will be displayed.</p> <form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']?>" onsubmit="return Validate()"> <table width="1000" border="0" cellspacing="1" cellpading="0"> <tr> </tr> <tr> <td> </td> <td> </td> </tr> <tr> <td align="right">Password: </td> <td><input size="20" maxlength="20" name="password" value=" "> </td> </tr> </table> </form> </div> </body> Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 28 Share Posted August 28 without knowing what symptom you are getting and what debugging steps you have already performed, it is not possible to help you. there's no point in echoing a static string in the php code (2 places). just put the string as the value in the markup. don't use PHP_SELF. to cause the form to submit to the same page it is on, leave out the entire action attribute. Quote Link to comment Share on other sites More sharing options...
Random8 Posted August 28 Share Posted August 28 Why are you using javascript to verify the password? A user can get the password from View source, or just do directly to sxdisp.php 1 Quote Link to comment Share on other sites More sharing options...
gizmola Posted August 28 Share Posted August 28 Good advice from both mac_gyver and Random8. Perhaps you are not clear on this, but once I understand the location of sxdisp.php I can just send data to it directly. As made clear, your password is disclosed in the javascript code. You have essentially no security. If you want something simple and static you can easily implement HTTP "realm" security, which is built into the browser and entails creating a simple password file. Usually people name it .htpasswd You would have the protected scripts in a subdirectory and add a .htaccess file for the directory along with a .htpasswd. There are many different how-to and tutorials on doing this. I just glanced over it, but here is one that covers the basics: https://www.lcn.com/support/articles/how-to-password-protect-a-folder-on-your-website-with-htaccess/ Quote Link to comment Share on other sites More sharing options...
cearlp Posted August 29 Author Share Posted August 29 Thanks all for the replies. Quote Link to comment Share on other sites More sharing options...
jodunno Posted August 29 Share Posted August 29 are you having trouble setting up a databse, accessing the database and hashing a password? let's play squeakyToys and build a basic process for you to follow: after you make a database with a table and columns in your database software and insert the appropriate data in the columns: $dbHost = (string) '127.0.0.1'; //127.0.0.1 == localhost $dbName = (string) ''; //your database name $dbUser = (string) ''; //your database software user name $dbPass = (string) ''; //your database software password $dbAttr = array(PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC); $dbConnect = new PDO("mysql:host=$dbHost; dbname=$dbName; charset=utf8mb4", $dbUser, $dbPass, $dbAttr); $dbQuery = 'SELECT user_id, user_pass FROM user_table WHERE user_name = :post_username'; $dbPuppy = $dbConnect->prepare($dbQuery); $dbPuppy->execute(array(':post_username' => $username)); //$_POST['username'] $squeakyToy = $dbPuppy->fetch(); //$squeakyToy['user_id']; //$squeakyToy['user_pass']; //$squeakyToy is a variable that holds the data from the SELECTED database column. here user_id and user_pass //the most common variable names = $field, $row, $result //verify that $_POST['password'] hash matches database user_pass hash for the SELECTed user_name if (password_verify($post_password, $squeakyToy['user_pass']) === true) { //if match is true then the user is now logged in } hash your new password, id est, stop using your now public domain password of 'fredpeabody', and store that hash in your database user_table. example code to show how it works (which does not belong on your publicly accessible website😞 <?php $formPass = "joDunn02024"; $showHash = password_hash($formPass, PASSWORD_BCRYPT); echo $showHash; ?> then you will store the output from $showHash in the user_pass column associated with your username. And don't use fred, peabody, body or pea in your new password, in any lettercase. Even with a full stop interjection (fred.peabody) And all users of your site require a unique user name and a password. Stop sharing your password with people. You're supposed to be the site admin for cryin' out loud. And what is wrong with you? LOL. hopefully, you don't write your banking pin number on your forehead so that you don't forget it. Even backwards. Joke: Another error is using Ubuntu over Mint or OpenSuse. Try one of those distros, then your script will work again 🙂 Honestly, you must at least allow php to process the form on the server side where client users cannot see the processing code. only use javascript as minimal client-side form validation before submitting (such as checking on submit for empty fields, maximum/minimum character violations etc.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.