I am allowing a user to access a page if they know the password and enter it
on a form, I process that form with another php page, if its the wrong
password i do not display sensitive information.
However if the user looks in source coude and sees the name of the
processing page he can simply type in that name and get to the page anyway.
Okay - he can not see so much, just a lot of empty fields as I only load
data if pwd check is okay, but its untidy and I want to refuse the user the
page completely if he has not arrived at it in the way intended.
How do I do that?
Garry Jones
7  1529 
Garry Jones wrote:
I am allowing a user to access a page if they know the password and enter it
on a form, I process that form with another php page, if its the wrong
password i do not display sensitive information.
However if the user looks in source coude and sees the name of the
processing page he can simply type in that name and get to the page anyway.
Okay - he can not see so much, just a lot of empty fields as I only load
data if pwd check is okay, but its untidy and I want to refuse the user the
page completely if he has not arrived at it in the way intended.
How do I do that?
Garry Jones
If the check fails (ex: if the password is wrong, or they navigate
directly to the page), then use header("locatio n: whatever"); to
redirect them immediately to some other page.
>I am allowing a user to access a page if they know the password and enter it
>on a form, I process that form with another php page, if its the wrong
password i do not display sensitive information.
Every page should contain some kind of access check. This might be as
simple as
if ($_SESSION['logged_in_ok'] == 1) { ...
assuming you're using PHP sessions.
If the access check fails, don't output the sensitive content.
It could also be done with a common include file included by each page
near the beginning containing such code.
>However if the user looks in source coude and sees the name of the
processing page he can simply type in that name and get to the page anyway.
A user shouldn't be able to look at *PHP* source code, as it's not sent
to the browser, but if the URL can be seen in the *HTML* code output,
he can. So the URL to the processing page should be useless to him
(he'll fail the access check).
>Okay - he can not see so much, just a lot of empty fields as I only load
data if pwd check is okay, but its untidy and I want to refuse the user the
page completely if he has not arrived at it in the way intended.
If a user has not properly logged in, redirect him to the login page
without generating any sensitive content.
"Moot" <mo************ *******@yahoo.c omskrev i meddelandet
news:11******** **************@ k70g2000cwa.goo glegroups.com.. .
If the check fails (ex: if the password is wrong, or they navigate
directly to the page), then use header("locatio n: whatever"); to
redirect them immediately to some other page.
Yes I got that bit. But if the user goes straight to the page he jumps in
and the password entered and the password processed are identical null
values.
What I mean is in this example
$_POST['user_try'] will be empty if the user has typed in the page name of
the processing page directly. I am unsure how empty because the checking for
($_POST['user_try'] == "") was not enought to trap it, it appears there is
some kind of null that is not recognised as being "". However when I echoed
it to check there was nothing there.
I have been playing with isset but cant cant get the syntax.
if (isset($_POST['user_try'])){
lots of code goes here to kick off the page
after which then i can close the if statement
}
Header("Locatio n: whatever.php");
exit;
.... But I am still missing something, greatfull for any help
Garry Jones
Sweden
You can try this code, of course you need to get the $_POST['userid']
and $_POST['password'] which are input by the user.
//to connect to your database
include 'dbconnect.php' ;
//store session variables
session_start() ;
$_SESSION['userid']=$_POST['userid'];
$_SESSION['password']=$_POST['password'];
$userid=$_POST['userid'];
$password=$_POS T['password'];
//here I check the password that the user entered with the one in the
database
$user = mysql_query("SE LECT * FROM users WHERE userid = '$userid'")or
die(mysql_error ());
//load the mySQL query as an array in $info, where you could refer to
the password using //$info["password"]
while($info = mysql_fetch_arr ay($user) ) {
if ($password != $info["password"]) {
die('Wrong userid or password!');
session_destroy ();
}
else {
echo "Welcome ".$_SESSION['userid'].". You have unlocked the key.";
exit;
}
}
Regards,
Mark Wong http://liang5ster.blogspot.com
Garry Jones wrote:
"Moot" <mo************ *******@yahoo.c omskrev i meddelandet
news:11******** **************@ k70g2000cwa.goo glegroups.com.. .
If the check fails (ex: if the password is wrong, or they navigate
directly to the page), then use header("locatio n: whatever"); to
redirect them immediately to some other page.
Yes I got that bit. But if the user goes straight to the page he jumps in
and the password entered and the password processed are identical null
values.
What I mean is in this example
$_POST['user_try'] will be empty if the user has typed in the page name of
the processing page directly. I am unsure how empty because the checking for
($_POST['user_try'] == "") was not enought to trap it, it appears there is
some kind of null that is not recognised as being "". However when I echoed
it to check there was nothing there.
I have been playing with isset but cant cant get the syntax.
if (isset($_POST['user_try'])){
lots of code goes here to kick off the page
after which then i can close the if statement
}
Header("Locatio n: whatever.php");
exit;
... But I am still missing something, greatfull for any help
Garry Jones
Sweden
Thanks Mark.
I tried to adapt your code for my needs but something is misfiring and its
not allowing me into the page. I removed the session variable thing as I
have no need for them.
// the post with the user id
$scfchknum=$_PO ST['scfchknum'];
// the post with the user password
$scfchkpwd=$_PO ST['scfchkpwd'];
include("connec t to datbase php segment");
// my table is called scfmforening,
scfmnum is the field name with the user id number
scfpwd1 is the field name with the password
So here I assign $user to the table data scfmnum is the same as the user id
given by user
$user = mysql_query("SE LECT * FROM scfmforening WHERE scfmnum =
'$scfchknum'")o r die(mysql_error ());
// now the tricky bit that I dont really understand. It should check
password match.
while($info = mysql_fetch_arr ay($user) ) {
if ($scfchkpwd != $info["scfpwd1"]) {
die('Wrong userid or password!');
session_destroy ();
}
else {
echo "yes";
}
}
The page is not loaded correctly, roughly the sort of blank looking error as
when you omit a bracket or a semi colon.
Any ideas?
Garry Jones
Sweden
Garry Jones wrote:
[...]
So here I assign $user to the table data scfmnum is the same as the user id
given by user
$user = mysql_query("SE LECT * FROM scfmforening WHERE scfmnum =
'$scfchknum'")o r die(mysql_error ());
// now the tricky bit that I dont really understand. It should check
password match.
Are you sure the resource $user points to something with exactly 1
element?
if (($numrows = mysql_num_rows( $user)) == 1) {
while($info = mysql_fetch_arr ay($user) ) {
if ($scfchkpwd != $info["scfpwd1"]) {
die('Wrong userid or password!');
session_destroy ();
}
else {
echo "yes";
}
}
} else {
echo 'query returned ', $numrows, ' elements.';
}
You might want to increase the error reporting level of PHP.
Add
error_reporting (E_ALL);
to the top of your script, right after the first <?php tag.
--
File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot
"Pedro Graca" <he****@dodgeit .comskrev i meddelandet
news:sl******** ***********@ID-203069.user.ind ividual.net...
>if ($scfchkpwd != $info["scfpwd1"]) {
Ahhh, sorry guys, thanks for your help.
My field name is actually "scfmpwd1"
:)
So now its working.
Garry Jones
Sweden This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Niyazi |
last post by:
Hi,
I created application that I get information from AS400 for reporting.
In main.exe has only 1 frm which calls (as a class library) CLS_MAIN.dll.
The CLS_MAIN.dll get the tables from AS400 and stores it in Dataset.
Then returns to main frm then main frm calls the FirstReport.dll.
The FirstReport.dll get the information from access database and creates the
sqkl string and works with dataset and then writes in pre-formated Excel
sheet.
|
by: magic man via .NET 247 |
last post by:
hi everyone i have a c# application that uses multithreading toconnect to sql server and execute a stored procedure on theserver. i am using a dataset,sqlcommand,dataadapter and adatagrid to carry out the process on a background thread andeverything goes well but the problem arrises when i created astop button that attempts to cancel the operation of datasetfilling(somtimes the query takes much time and i need to cancelthe operation)
so that...
|
by: martin |
last post by:
Hi,
I have a website on my local development machine that has a page where a
small number of services (that I have wrote myself) can be either started or
stopped.
The website uses forms authentication at present, so as far as I am aware I
can't use windows authetication (not sure if this is relevant or not)
At present the virtual directory that is running the application is set to
"Anonymous" Accss and is running under the...
|
by: carriolan |
last post by:
Hi
I have an MS Access based application almost ready for distribution to
the public and I find that even though I have compiled it into an MDE
file, tables and queries can still be be imported if accessed by
another MS Access database. How can I stop this please?
Regards
Carriolan
|
by: schaf |
last post by:
Hi all!
I'm still trying to start/stop a service on a remote computer. (I
promiss that's the last new post because of this problem from my side)
My situation:
I've an application running under the user paul (pw:paul123) on the
computer A in the domain ABC. This application should stop / start a
service, which is running on computer B (in workgroup ABCWG (NOT IN
DOMAIN ABC)). On the computer B I have a user administrator (pw:
adminTest)...
| | |
by: adiel_g |
last post by:
I added a user control to a webform in Asp.net 2.0. I am also adding
several other user controls to this webform. Now I am trying to find
a way to stop the user controls from loading up when I call the
webform. I could possibly have 10 user controls in this page and I
would not want all of them to load up. I would like to control which
user control loads up. I have tried placing each user control in a
separate placeholder and then...
|
by: Benjamins via AccessMonster.com |
last post by:
The microsoft jet database engine stop the process because you and another
user are attempting to change the same data.
The system produce this error message when i run a certain form. It will
appear only sometime. What has cause this error as this data is only used by
one user and the user did not access the data by other means other than the
system that is accessing the data.
--
Message posted via AccessMonster.com
|
by: matthardwick |
last post by:
I have a form that has lots of sub forms on it. The user shouldn't be editing the information that isn't part of the sub forms, and the fields are locked... but when a user presses return/enter - access seemingly progresses onto the next record for the parent form (and at the end it just goes to create a new record).
How can I stop access from going to the next record when they press enter?
Thanks.
|
by: sphinney |
last post by:
Hi everyone. I'm creating an application inside Access 2007. The application will retrieve data from various locations on my company's network servers.
Depending on the time of day, alignment of the planets, other unfathomable mysteries sometimes my company's network is very, very slow.
I would like to provide the user of my application with a "Cancel" button on a form that will cancel/stop execution of the code (at whatever point it may...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
