Authorization on PHP
In that article we’ll talk about quests authorization. If you want to restrict access to the site resources you can use several methods, for example with the help of Apache Web-server having created .htpassw. file. Such way isn’t very convenient because file transferring requires .htpassw. reconstruction once again. Besides that it is tiresomely enough to change password. As a result developers more often use authorization on PHP in spite of the fact that that kind of protection is more dangerous and can be broken.
In that article we’ll talk about the principle of such kind of authorization and it will allow you to create something similar to it.
As a rule access to the administration panel (admin/index.php) is restricted by Apache means. We will view the script that will restrict the access by means of PHP. Password and login will be stored in the file, because it doesn’t require access to the database and can be used in other web applications.
And now let’s talk about protection organization. All action on the administration page is better to carry out by one file (index.php). In that file login and password will be checked up. Sessions will be the base of the mechanism but you can also use cookies as an alternative. Sessions are more foolproof method because in contrast to cookies sessions are stored on the server and probability of the unapproved access is lower.
<?php
// given file will be included to the other files
// by means of directive “include” that’s why we have to prohibit its self call
// from the query line by indicating its name
// If constant IN_ADMIN isn’t defined we have to finish script work
if(!defined("IN_ADMIN")) die;
// Start session
session_start();
// Put the file content to array
$access = array();
$access = file("access.php");
// Put the values to the variables passing first line of the file - 0
$login = trim($access[1]);
$passw = trim($access[2]);
// Look whether data were sent or not
if(!empty($_POST["enter"]))
{
$_SESSION["login"] = $_POST["login"];
$_SESSION["passw"] = $_POST["passw"];
}
// If they were not entered or they are wrong
// ask to enter
if(empty($_SESSION["login"]) or
$login != $_SESSION["login"] or
$passw != $_SESSION["passw"] )
{
?>
<a href="index.php">Return to the administrative page of the quest book</a>
<form action=index.php method=post>
Login <input class=input name=login value="">
Password <input class=input name=passw value="">
<input type=hidden name=enter value=yes>
<input class=button type=submit value="Enter">
<?php
die;
}
?>
access.php file with login and password has the following structure:
<?php die; ?>
admin
passw
Notice: for more effective protection password and login can be subjected to the irreversible encoding by means of function md5().
Script working will be stopped in the first line by means of die() function when file is called from the browser. It won’t allow entering login and password to the browser.
Now we have to create running file. With its help we’ll be able to get access to all files of the administration system. Rename index.php file to main.php in the directory admin and then create new index.php file with the following content:
<?php
define("IN_ADMIN", TRUE);
// Check the access rights
include "auth.php";
// Get the op parameter from the URL
$op = $_GET["op"];
// Select necessary action
switch ($op)
{
case "main" : include "main.php"; break;
case "delp" : include "delpost.php"; break;
case "editform" : include "editcommentform.php"; break;
case "edit" : include "editcomment.php"; break;
case "hide" : include "hide.php"; break;
case "show" : include "show.php"; break;
default : include "main.php";
}
?>
Now we have to prohibit access to the other scripts from the straight call. Now we have to test IN_ADMIN constant in every file (except new index.php).
<?php
if(!defined("IN_ADMIN")) die;
?>
That’s it. But your quest book still doesn’t work? Sure, we have to change some lines. All links we have to change to the index.php file call, having given him op parameter. File main.php (former index.php); you have to change links in the lines 35 and 36 to:
<?php
if(!$guest["hide"]) $showhide = "<a class="menu"
href=index.php?op=hide&id_msg=".$guest["id_msg"]."&start=$start
title=Hide a message from the list on the site">Hide message</a>";
?>
And lines from 63 up to 70 should be changed to:
<?php
echo "<p class="menu"><a class="menu" href=index.php?op=editform&id_msg=".$guest["id_msg"].
"&start=$start title=Edit message">Edit</a>";
echo " ".$showhide;
echo " <a class="menu" href=index.php?op=delp&id_msg=".$guest["id_msg"].
"&start=$start title=Delete message">Delete message</a>";
echo "</p>";
?>
File editcommentform.php. Line 29 should be changed to:
<form action=index.php?op=edit method=post>
That’s it. Quest book with closed administration panel is ready. Don’t forget to change access.php file having entered more complicated password and login. Of course, such system can’t pretend to the serious protection. But it will be enough for the first time, then you can change it.
