hidden password

[t0mmy9]

hi, ive created a few php password forms, but i'm wondering is it possible to create a hidden password script that you dont need a form to log in to?

 

for example, if i had it in index.php if someone types index.php?password=passwordhere it shows them hidden content / redirects them to another page?

 

thanks for any help.

[eon201]

That sounds completely unsecure, are you sure you want this to be so open?? Anyone could gain access to this 'hidden' content very easily.

 

Perhaps consider using cookies?

[PhaZZed]

Well yes,

 

If we use your example of index.php?password=passwordhere

 

We would place code like this in the index.php file..

 

if(isset($_GET['password'])) // if the variable exists
{
// you could put sql in here to fetch a password from a database too
if ($_GET['password'] == "value") // if the existing variable matches correctly
  {
    echo "hidden content";
  }
}

 

It's not secure though!

[eon201]

In what way will you be using this code??

And why would you want users to log in this way?

 

We may be able to describe a better solution if you give us a brief description.

 

The cookie mehtod would work, but I think you'd have to get them to log in through the form the first time and then save the cookie to allow them through later.

 

 

[aschk]

I think your terminology might not be quite right. I think you're not looking at user authentication really. What you're after is "secret codes" that unlock hidden content. Why however would you want to do this instead of logging in normally? Surely you're circumventing the visual element that shows someone they have to be logged in to see this information?

With regards to "secret codes" you should be thinking more along the lines of a hash code.

My biggest question is "why".

 

Also with reference to $_GET vs $_POST (as eon201 suggested it was insecure); both methods are as secure as each other providing you escape data the same way. The only difference being that $_GET variables are viewable inside the browser url bar.

[PhaZZed]

I'd suggest taking the time reading about proper authentication with a database, escaping and sessions. It might seem like a big task, but trust me, once you get the hang of it, you will be able to build secure 'hidden' areas easily..

 

Sessions - http://www.tizag.com/phpT/phpsessions.php

Authentication - http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/

 

Good luck!

[runnerjp]

stick to login scripts... why password protect something that can very easily be accessed... no point in protecting it then

[aschk]

I see what he's doing. I don't necessarily agree with the process. Although of course maybe my understanding of his problem is warped. Perhaps he's talking about maintaining login information throughout a SESSION, and NOT dropping in authenticated from an external site/location. Maybe we'll get some clarify 

[t0mmy9]

wow, what a helpful forum, thanks.

i know this isn't the cleverest of ideas and yes, seems pointless when i could just use a normal log on but im not using it to hide very restricted content. ill test the posted php now.

 

works perfectly brilliant!

by not secure though do people mean the password can easily be found or can it reveal sensitive information that i dont want anyone to see?