PHP authorization

In this article, we will look at the authorization of visitors. There are several ways to restrict access to site resources, for example, using the Apache Web server by creating a .htpassw file. This path is not always convenient, since transferring files to another server requires recreating .htpassw over a new one, moreover, it is rather tedious to change the password with this method. In this regard, developers often resort to PHP authorization, despite the fact that such protection is more susceptible to hacking.

This article will discuss the principle of such authorization, and it will allow you to organize something similar on your site. We will start from the Guestbook Web application (on MySQL), which can be downloaded here.

Usually, access to the administration panel (admin / index.php) is limited by Apache tools, but we will consider a script that allows you to restrict access using PHP.
The login and password will be stored in a file, since this does not require access to the database and can be used in other Web applications.

Now a little about the organization of protection. All actions on the administration page are supposed to be carried out through one file (index.php), while suppressing direct calls to other scripts. In the same file, the login with the password will also be checked. The security mechanism will be based on sessions, but as an alternative, you can use cookies. Sessions are a more secure option, since, unlike cookies, they are stored on the server and the likelihood of unauthorized access to them is significantly reduced.

Comment

All further code is based on the code of the Guestbook, so for convenience it should be downloaded from the site.

auth.php

<?php
if(!defined("IN_ADMIN")) die;
session_start();
$access = array();
$access = file("access.php");
$login = trim($access[1]);
$passw = trim($access[2]);
if(!empty($_POST['enter']))
{
        $_SESSION['login'] = $_POST['login'];
        $_SESSION['passw'] = $_POST['passw'];
}
if(empty($_SESSION['login']) or
   $login != $_SESSION['login'] or
   $passw != $_SESSION['passw']    )
{
   ?>
     <a href="index.php">Return to guestbook administration</a>
     <form action=index.php method=post>
     Логин <input class=input name=login value="">
     Пароль <input class=input name=passw value="">
     <input type=hidden name=enter value=yes>
     <input class=button type=submit value="Enter">
   <?php
   die;
}
?>

The file with login and password access.php has the following structure:

<?php die; ?>
admin
passw

Comment

For more reliable protection, the password and login can be subjected to irreversible encryption using the md5 () function
Please note that when accessing the file from the browser window, the script will be stopped in the first line by the die () function, not allowing the username (admin) and password (passw) to be displayed in the browser window.
Now we should create a control file through which we will gain access to all the other files of the administration system. Rename the index.php file to main.php in the admin directory of the guestbook and create a new index.php file with the following content.

Leave a Reply

Your email address will not be published. Required fields are marked *

Next article

Advantage of PHP