CODEWITHSUNDEEP
phpmamp
Rus84
Rus84

Reputation: 33

.php file security using MAMP

I have generated a php file that has information stored in a database. To access this a person must use a login in page.

However, when you are using MAMP how can you prevent someone from accessing the file through writing the IP address and php file name e.g. 123.456.78.00:80/fileone.php. I want this fileone.php to be hidden and for them to only access it through a login page. Thanks in advance.

<?php
session_start();

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

mysql_connect("localhost", "root","root") or die(mysql_error()); //Connect to server
mysql_select_db("first_db") or die("Cannot connect to database"); //Connect to database
$query = mysql_query("SELECT * from users WHERE username='$username'"); //Query the users table if there are matching rows equal to $username
$exists = mysql_num_rows($query); //Checks if username exists
$table_users = "";
$table_password = "";
if($exists > 0) //IF there are no returning rows or no existing username
{

    while($row = mysql_fetch_assoc($query)) //display all rows from query
{
    $table_users = $row['username']; // the first username row is passed on to $table_users, and so on until the query is finished
    $table_password = $row['password']; // the first password row is passed on to $table_users, and so on until the query is finished
    $table_id = $row['id'];
    $page_id = $row['page'];
}
if(($username == $table_users) && ($password == $table_password)) // checks if there are any matching fields
{
        if($password == $table_password)
        {
            $_SESSION['user'] = $username; //set the username in a session. This serves as a global variable
            //echo $table_id;
            //echo $page_id;

            redirect ($page_id); //take the user to the page specified in the users table

        }
    else
    {
        echo "Login Failed";
    }

}
    else
    {
        Print '<script>alert("1. Incorrect Password!");</script>'; //Prompts the user
        Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
    }
}
else
{
    Print '<script>alert("Incorrect Username!");</script>'; //Prompts the user
    Print '<script>window.location.assign("login.php");</script>'; // redirects to login.php
}
function redirect($page_id)
{
/* Redirect browser */    
header('Location: ' . $page_id);
/* Make sure that code below does not get executed when we redirect. */
exit; 
}
?>

Upvotes: 1

Views: 89

Answers (1)

CrazzyMarc
CrazzyMarc

Reputation: 33

Login check

if(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] === true) {
    "Your script"
}

If you have a profile for your users, like a normal user = 0 and an admin = 1 you can do it like this

if(isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] === true && $_SESSION['profile'] == 1) {
    "Your script"
}

Set sessions

To set set the sessions to true you need this

if(isset($_POST['submit'])) {
    $_SESSION['loggedIn'] = true;

    // for set a profile
    $_SESSION['profile'] = 1;
}

Maybe I didn't understand you good, but to be sure I will explain something:

You said attached checklogin.php, but you can't use that to deny access for non members. If they know that the file exists, they can type it in the URL and still read fileone.php. The first coding block need to be in your fileone.php.

Session time

Search in your php.ini for 'session.gc_maxlifetime'. There will be a number and that is the time in seconds.

Upvotes: 1

Related Questions