|
"wots it all about"
Regular
on 05/10/2008 at 7:28:17PM
Total Posts: 30 |
hiya, i have a members only section in my website which you can (well should) only access by logging in, but i dont understand how i can stop people just typing in the address to the members only page and access the page, I'm new to web design and this may be a silly question with a simple answer, but would one of you be kind enough to educate me please. Many thx in advance.
|
|
|
|
|
|
Delicious Digg Reddit Facebook StumbleUpon
|
|
Tappet
"wots it all about"
Regular
on 17/10/2008 at 10:54:09PM
Total Posts: 30
|
Lo JimTheDog
thx once again, your a star!
how are you fixed for building an ecommerce site, lol.
STARDUST |
|
|
|
JimTheDog
"Woof Woof"
Regular
on 17/10/2008 at 8:38:08PM
Total Posts: 19
|
|
Hi Tappet,
The code should replace all of the code you used - you can scrub the whole of the Java script. All you need to do is rename the pages like:
testpage1.php becomes your index.php
testpage2.php becomes auth.php
and testpage3.php becomes your first members page.
If you click the link I provided to my test site and then view the source, you notice you cannot see the User/password details.
Also, if you want to go down the line of MySQL then my advice is bite the bullet and I'll help out where I can.
JTD
|
|
|
|
Tappet
"wots it all about"
Regular
on 16/10/2008 at 10:44:58PM
Total Posts: 30
|
|
hiya jimthedog,
no probs on the delay, only looked tonite to see if i had a reply, many thx for the code, i'll have a crack at it over the weekend and let you know how it goes. i guess the script im using to encript the user details can be inserted in the the php code?
to be honest im new to all this and i'm only using this java script do to a website tell me it was one of the best they had seen and it was very easy to get up and running, i have an editional piece of code, where i type in the users name and password and it encripts it for me and give me a piece of code the i add to the page, ie
<option value='Tappet|57456|NNPIETZB'>Tappet </option>
i would prefer a SQL powered way of doing this but like i say, i'm still new to all this and that seemed abit to advanced for now, do you know of any good site where i could grab this code and tables for a sql vision?
many thx for your time your've been a big help.
|
|
|
|
JimTheDog
"Woof Woof"
Regular
on 16/10/2008 at 8:08:12PM
Edited: 16/10/08 20:23 Total Posts: 19
|
Hi Tappet,
Very sorry for the delay with this - I've been busy with other problems.
By using Java in your original script you're causing problems creating session variables and passing parameters between pages. Seeing as I'm no Java expert (nor any other expert come to that) I've re-written your auth page in php. Pre-quoting passwords and usernames isn't exactly efficent but at least they can't be seen within the php script.
Anyway - try doing this to get you on track:
Create three pages: testpage1.php, testpage2.php and testpage3.php. Copy the following lines in to the relevent page.
testpage1.php
<?php
session_start();
$namesArray = array();
$namesArray["fjhgfhg"] = ""; // if you want a blank line.
$namesArray["AAA"] = "Andrew";
$namesArray["BBB"] = "Barry";
$namesArray["CCC"] = "Charlie";
$_SESSION['namesArray'] = $namesArray;
$result = $_REQUEST['res'];
if ($result == "fail"){$message = "Your login details were not recognised. Please try again.";}
echo $authIt;
?>
<form action="testpage2.php" method="post">
<p>
UserName: <SELECT name="UserName">
<?php foreach ($namesArray as $value) { ?>
<option value='<?php echo"$value";?>'><?php echo "$value";?> </option>
<?php } ?> </SELECT>
</p>
<p>
Password:
<input name="password" type="text" id="password">
<input type="submit" name="Submit" value="Submit">
<input type="hidden" name="names" value="$namesArray[]">
</p>
</form>
<?php echo $message;?>
testpage2.php
<?php
//start a session
session_start();
$namesArray = $_SESSION['namesArray'];
$pwd = $_POST['password'];
$UID = $_POST['UserName'];
if (isset($namesArray[$pwd]) && ($namesArray[$pwd]== $UID))
{$_SESSION['loggedin'] = $UID; $_SESSION['authcode']="OK"; header("location: testpage3.php");} else {
header("location: testpage1.php?res=fail");}
?>
testpage3.php
<!-- add this snippet to the top of every page you want to protect -->
<!-- or alternativly save it as auth.php and use < ?php session_start(); include("auth.php"); ?> at the top of each page -->
<?php
session_start();
if ($_SESSION['authcode']!="OK")
{header("location: testpage1.php");} ?>
<?php
//this should not be included in every page but you can see how you can pass the session variable to all pages once it has been set in the authorisation script.
$loggedin = $_SESSION['loggedin'];
echo "$loggedin is logged in";
?>
I hope this a) works, and b) helps and c) doesn’t appear too clumsy to people who actually know what they are doing.
Click here to see this in action.
JTD |
|
|
|
Tappet
"wots it all about"
Regular
on 10/10/2008 at 9:07:05PM
Edited: 10/10/08 21:09 Total Posts: 30
|
|
this is my form and script code where i'm having the prob, your code uses username and password, where im using memlist and password
<form action="../../../Members Login/membersarea.php" name=login>
<tr>
<td colspan=2 align=center><span class="style3"><b>MEMBERS LOGIN</b></span></td>
</tr>
<tr>
<td width="60"><span class="style31">username:</span></td>
<td width="125"><select name=memlist>
<option value='x'> </option>
<option value='paul|39325|NEPBNYXB'>paul </option>
<option value='Scottie2Hottie|44419|NMOFLXBJ'> Scottie2Hottie </option>
<option value='Tappet|57456|NNPIETZB'>Tappet </option>
</select></td>
</tr>
<tr>
<td><span class="style31">password:</span></td>
<td><input type=password size=10 maxlength=8 name=pass />
<input type=button value="Login" onclick="check(this.form)" /></td>
</tr>
</table>
</form>
<script language="JavaScript">
<!-- Begin
var params=new Array(4);
var alpha="ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHI";
function check(form) {
which=form.memlist.selectedIndex;
choice = form.memlist.options[which].value+"|";
if (choice=="x|") {
alert("Please Select Your Name From The List");
return;
}
p=0;
for (i=0;i<3;i++) {
a=choice.indexOf("|",p);
params=choice.substring(a,p);
p=a+1;
}
h1=makehash(form.pass.value,3);
h2=makehash(form.pass.value,10)+" ";
if (h1!=params[1]) {
alert("Incorrect Password!"); return; };
var page="";
for (var i=0;i<8;i++) {
letter=params[2].substring(i,i+1)
ul=letter.toUpperCase();
a=alpha.indexOf(ul,0);
a-=(h2.substring(i,i+1)*1);
if (a<0) a+=26;
page+=alpha.substring(a,a+1); };
top.location=page.toLowerCase()+".html";
}
function makehash(pw,mult) {
pass=pw.toUpperCase();
hash=0;
for (i=0;i<8;i++) {
letter=pass.substring(i,i+1);
c=alpha.indexOf(letter,0)+1;
hash=hash*mult+c;
}
return(hash);
}
|
|
|
|
JimTheDog
"Woof Woof"
Regular
on 10/10/2008 at 8:41:44PM
Total Posts: 19
|
|
Tappet,
The way you were doing your authetication was always a bit of a blind spot. If you take the two code snippets and put them in two pages called testpage1.php and testpagetwo.php then you shouldn't be able to view testpage2.php without first autheticating via testpage1.php (however as soon as you've authenticated yourself once you can view testpage2.php by typing it into your address bar until you close your browser - because the autheticatin session exists). Where I've put the authentication code you should replace that with your own authentication method.
If all of that is going above your head then feel free to post your code.
JTD
|
|
|
|
Tappet
"wots it all about"
Regular
on 10/10/2008 at 8:28:21PM
Total Posts: 30
|
|
lo jimthedog, ive tried the code that you posted but i can't get it to work, if i post my username password script is there any chance you can intergrate it for me please?
|
|
|
|
Tappet
"wots it all about"
Regular
on 10/10/2008 at 2:14:49AM
Total Posts: 30
|
|
nice1, i'll give it a go and let you kno, many thx.
|
|
|
|
JimTheDog
"Woof Woof"
Regular
on 06/10/2008 at 10:17:02PM
Edited: 7/10/08 17:45 Total Posts: 19
|
|
Hi Tappet,
I'm not sure how you do your athentication but this should point you in the right direction.
PART ONE
<!--put this php snippet at the top of your index page (which should also have a .php extension -->
<?php
// first we check to make sure there are no sessions - if there are, destroy them
if (session_id() != "") {session_destroy();
unset($_SESSION );}
?>
<!-- this will look something like your submit form -->
<form action="testpage2.php" method="post">
<p>
UserName:
<input name="UserName" type="text" id="UserName">
</p>
<p>
Password:
<input name="password" type="text" id="password">
<input type="submit" name="Submit" value="Submit">
</p>
</form>
PART TWO
<!--add everything below this comment as the first thing in each page you need to authenticate. All pages should have a .php extension. -->
<!--place this code at the top of all subsequent pages you need athentication on -->
<?php
//start a session
session_start();
// if the password and username (via your own athentication methods) are correct then do this
$pwd = $_POST['password'];
$username = $_POST['UserName'];
// check the validation value
if ($username == "user" && $pwd == "password"){
$_SESSION['auth']="yes"; }
//if it doesn't check out then boot the user back to the index (in this case testpage1.php)
if ($_SESSION['auth'] != "yes") {header ("location: testpage1.php");exit();}
?>
<!-- now carry on with the rest of your page -->
<html>
<head></head>
<body>Page OK</body>
</html>
I hope this helps.
JTD
|
|
|
|
Tappet
"wots it all about"
Regular
on 06/10/2008 at 7:52:33PM
Total Posts: 30
|
|
hiya, thx for your reply, i already have my sign up form running on my site where visitors type in a user name and password to register and when they login with those details it directs then to the members only page, but i dont know how to stop people just typing in the web address (once they know it) to get to the same page. guess i just need some sort of code adding to the page. many thx for your interest and hope you can help further.
|
|
|
|
JimTheDog
"Woof Woof"
Regular
on 06/10/2008 at 6:41:03PM
Total Posts: 19
|
|
Hi Tappet,
Do you want a single username/password or do you want each user to have their own combination. I'll warn you now, the second option will get technical.
JTD
|
|
|
|
Tappet
"wots it all about"
Regular
on 05/10/2008 at 7:28:17PM
Total Posts: 30
|
|
hiya, i have a members only section in my website which you can (well should) only access by logging in, but i dont understand how i can stop people just typing in the address to the members only page and access the page, I'm new to web design and this may be a silly question with a simple answer, but would one of you be kind enough to educate me please. Many thx in advance.
|
|
|
|
|
 |
|
