473,320 Members | 1,884 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

password-protection

Wm
Something just occurred to me... <yeah, I know, it scared me too> I just
password-protected a website by including a password authentication script
in each page of a private section. The script checks the login against the
mySQL database. This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected, as
they would be if I had a .htaccess file on the parent directory..? This
method will not protect me from people hot-linking images from my directory
and calling them directly, will it? What is the "best" way of protecting
the entire directory, both pages AND images?

Thanx,
Wm

Jul 17 '05 #1
3 3393

This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected, as they would be if I had a .htaccess file on the parent directory..?


You're right. Use .htaccess.
Jul 17 '05 #2
> Something just occurred to me... <yeah, I know, it scared me too>
I just password-protected a website by including a password
authentication script in each page of a private section. The
script checks the login against the mySQL database. This type of
protection will only affect the .php pages, won't it?
Indeed.
The images that are contained in the pages are not protected, as
they would be if I had a .htaccess file on the parent
directory..? This method will not protect me from people
hot-linking images from my directory and calling them directly,
will it? What is the "best" way of protecting the entire
directory, both pages AND images?


Probably an .htaccess file.
--
SeeSchloß - http://www.seeschloss.net

Jul 17 '05 #3

"Wm" <LA*******@hotmail.com> wrote in message
news:xN**********************@news.easynews.com...
Something just occurred to me... <yeah, I know, it scared me too> I just
password-protected a website by including a password authentication script
in each page of a private section. The script checks the login against the
mySQL database. This type of protection will only affect the .php pages,
won't it? The images that are contained in the pages are not protected, as they would be if I had a .htaccess file on the parent directory..? This
method will not protect me from people hot-linking images from my directory and calling them directly, will it? What is the "best" way of protecting
the entire directory, both pages AND images?

Thanx,
Wm


I totally agree that .htaccess is the right way to go. However, if that is
not available to you or you have other reasons not to use it, a method I
have used to protect HTML and other downloadable files (e.g., a Word
Document) is to store the sensitive material in a directory that is not
accessible to web browsers. Under Apache, anything on the same directory
level as /htdocs will work, such as /etc or /cgi-bin. Then your protected
PHP script (which can reach into other directories besides the
web-accessible ones) obtains the document and makes it available to the
user, either immediately through the fpassthru() or readfile() functions
(for text and HTML files), or by setting up a download action via header()
statements to send binary files. Look up help topics in "file download" on
PHP websites for more info.

Note that the latter technique can be directly applied to images on your
page if you write a PHP script that grabs the desired image and sends it to
stdout, setting the appropriate header() elements to let the browser know
that an image is "on the way". Then you use the image tag in your original
php/html file to point to this "image script" file in the "src=" attribute,
e.g.,

<img src="get_my_image.php?image_id=4">

Since the <img> tag lives within your protected php file, and your image
file (whatever corresponds to image_id=4) resides outside the web directory,
this will only provide the image to someone with access to your original
page.

Douglas Abernathy
Jul 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
by: John Victor | last post by:
In my mysql database, I've stored all the passwords using the PASSWORD() function. Now I'm running a test and need to compare the password in my php document to that saved in the database. I used...
3
by: arktikturtle | last post by:
Hi! I'm looking for a way to validate a password within PL/SQL. I want to write CREATE PROCEDURE change_password(old_password IN VARCHAR2) IS BEGIN -- check if old_password is correct... but...
2
by: Jill Elaine | last post by:
I am building an Access 2002 frontend with linked tables to an encrypted Paradox 7 database. When I first create these linked tables, I'm asked for the password to the encrypted Paradox database,...
10
by: Fabrizio | last post by:
(Sorry for the crosspost, but I really don't know which is the right newsgroup!) Hi all, I try to change the password to a user that as to change the password at first logon: try {
6
by: Andre Ranieri | last post by:
I'm trying to create a login page for customers to log into our corporate website, our presidents naturally wants the user and password fields to populate from a cookie so the customer doesn't have...
5
by: scorpion53061 | last post by:
is it possible to set the database password that you can set in access for a database from a vb.net application?
26
by: David Garamond | last post by:
I read that the password hash in pg_shadow is salted with username. Is this still the case? If so, since probably 99% of all PostgreSQL has "postgres" as the superuser name, wouldn't it be better...
8
by: Katash | last post by:
Hello, I am new to PHP and am working on a login system for my site, currently supplied passwords are passed to MySQL and stored as md5 hashes, my question is :- seeing as md5 is 1 way only what...
3
by: julianmoors | last post by:
Hey, Currently I'm writing a VB.NET/1.1 app and I need to mask the input for the password field. Does anyone know how to do this in VB? I've seen a C# example, but wouldn't know how to convert...
2
by: DarthPeePee | last post by:
Hello everyone. I am working on a Password Strength Meter and I am running into 1 problem that I would like to fix. When pressing the "Clear Password & Try Again" button, the password clears...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.