DJTim666 Posted September 29, 2007 Share Posted September 29, 2007 The users at my site have suggested that I allow them to add passwords to their forums topics. So if they only want to limit the topic to a few friends then they can. I want to know if the following code will work. <html> <head> <script type="javascript/text"> <!-- function checkPassword(password){ var prompt = prompt('This forum has been password secured by the creator. Please enter the password below.'); if (prompt == password){ alert('You have entered the correct password. Press OK to continue'); } else { alert('That was the wrong password. Sorry.') return false; } } //--> </script> </head> <body> <?php $getForums = mysql_query("SELECT * FROM forum_topics WHERE forum=" . $id . ""); echo "<table>"; while ($row = mysql_fetch_array($getForums)){ echo "<tr><td>"; if (empty($row['password'])){ echo "<a href='viewtopic.php?t=" . $row['id'] . "'>" . $row['topic_name'] . "</a></td>"; } else { echo "<a href='viewtopic.php?t=" . $row['id'] . "' onClick='checkPassword("" . $row['password'] . "")'>" . $row['topic_name'] . "</a></td>"; } echo "</tr>"; } echo "</table>"; ?> </body> </html> And I just thought of a problem when I was almost done coding it. If a user clicks view source they will be able to see the password... Any way around this? -- DJ Quote Link to comment Share on other sites More sharing options...
php_tom Posted September 29, 2007 Share Posted September 29, 2007 It would 'work', but not secure... anybody could look at the page source and see <a href='viewtopic.php?t=12345' onClick='checkpassword("aPassword")'>aTopic</a> which would immediately tell them 1) what the password is, and 2) what URL to type in manually to see the topic Generally when doing password protection, it's best to do that server-side... Suppose a user has JavaScript turned off -- the password protection wouldn't work, they could see every topic! Most forums just allow users to PM each other instead of having passworded topics. That's my take on your code: if you don't want/need the site to be secure, your code is ok, but I really would try to get it more secure. Hope that helps. Quote Link to comment Share on other sites More sharing options...
DJTim666 Posted September 29, 2007 Author Share Posted September 29, 2007 Yeah. I know you can see the password there. That's no good. I am going to have to do this server-side *sigh*. Javascript is so awesome, yet so limited. Quote Link to comment Share on other sites More sharing options...
RichardRotterdam Posted October 1, 2007 Share Posted October 1, 2007 javascript is not limited you just have to know what NOT to show and what you can show. You can just d it all server side or.... you use ajax and a session simply do a check on every ajax server script to see if the action id is allow Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.