Stop user access

**Moot** · Oct 11 '06, 08:15 PM

Re: Stop user access

Garry Jones wrote:

I am allowing a user to access a page if they know the password and enter it
on a form, I process that form with another php page, if its the wrong
password i do not display sensitive information.
>
However if the user looks in source coude and sees the name of the
processing page he can simply type in that name and get to the page anyway.
Okay - he can not see so much, just a lot of empty fields as I only load
data if pwd check is okay, but its untidy and I want to refuse the user the
page completely if he has not arrived at it in the way intended.
>
How do I do that?
>
Garry Jones

If the check fails (ex: if the password is wrong, or they navigate
directly to the page), then use header("locatio n: whatever"); to
redirect them immediately to some other page.

**Gordon Burditt** · Oct 11 '06, 08:45 PM

Re: Stop user access

>I am allowing a user to access a page if they know the password and enter it

>on a form, I process that form with another php page, if its the wrong
>password i do not display sensitive information.

Every page should contain some kind of access check. This might be as
simple as
if ($_SESSION['logged_in_ok'] == 1) { ...

assuming you're using PHP sessions.

If the access check fails, don't output the sensitive content.
It could also be done with a common include file included by each page
near the beginning containing such code.

>However if the user looks in source coude and sees the name of the
>processing page he can simply type in that name and get to the page anyway.

A user shouldn't be able to look at *PHP* source code, as it's not sent
to the browser, but if the URL can be seen in the *HTML* code output,
he can. So the URL to the processing page should be useless to him
(he'll fail the access check).

>Okay - he can not see so much, just a lot of empty fields as I only load
>data if pwd check is okay, but its untidy and I want to refuse the user the
>page completely if he has not arrived at it in the way intended.

If a user has not properly logged in, redirect him to the login page
without generating any sensitive content.

**Garry Jones** · Oct 11 '06, 09:15 PM

Re: Stop user access

"Moot" <mootmail-googlegroups@ya hoo.comskrev i meddelandet
news:1160598589 .611992.313100@ k70g2000cwa.goo glegroups.com.. .

If the check fails (ex: if the password is wrong, or they navigate
directly to the page), then use header("locatio n: whatever"); to
redirect them immediately to some other page.

Yes I got that bit. But if the user goes straight to the page he jumps in
and the password entered and the password processed are identical null
values.

What I mean is in this example

$_POST['user_try'] will be empty if the user has typed in the page name of
the processing page directly. I am unsure how empty because the checking for
($_POST['user_try'] == "") was not enought to trap it, it appears there is
some kind of null that is not recognised as being "". However when I echoed
it to check there was nothing there.

I have been playing with isset but cant cant get the syntax.

if (isset($_POST['user_try'])){
lots of code goes here to kick off the page
after which then i can close the if statement
}
Header("Locatio n: whatever.php");
exit;

.... But I am still missing something, greatfull for any help
Garry Jones
Sweden

**quik_silv** · Oct 12 '06, 01:25 PM

Re: Stop user access

You can try this code, of course you need to get the $_POST['userid']
and $_POST['password'] which are input by the user.

//to connect to your database
include 'dbconnect.php' ;
//store session variables
session_start() ;
$_SESSION['userid']=$_POST['userid'];
$_SESSION['password']=$_POST['password'];
$userid=$_POST['userid'];
$password=$_POS T['password'];
//here I check the password that the user entered with the one in the
database
$user = mysql_query("SE LECT * FROM users WHERE userid = '$userid'")or
die(mysql_error ());
//load the mySQL query as an array in $info, where you could refer to
the password using //$info["password"]
while($info = mysql_fetch_arr ay($user) ) {
if ($password != $info["password"]) {
die('Wrong userid or password!');
session_destroy ();
}
else {
echo "Welcome ".$_SESSION['userid'].". You have unlocked the key.";
exit;
}
}

Regards,
Mark Wong

Blog nicht gefunden.

http://liang5ster.blogspot.com

Garry Jones wrote:

"Moot" <mootmail-googlegroups@ya hoo.comskrev i meddelandet
news:1160598589 .611992.313100@ k70g2000cwa.goo glegroups.com.. .
>

If the check fails (ex: if the password is wrong, or they navigate
directly to the page), then use header("locatio n: whatever"); to
redirect them immediately to some other page.

>
Yes I got that bit. But if the user goes straight to the page he jumps in
and the password entered and the password processed are identical null
values.
>
What I mean is in this example
>
$_POST['user_try'] will be empty if the user has typed in the page name of
the processing page directly. I am unsure how empty because the checking for
($_POST['user_try'] == "") was not enought to trap it, it appears there is
some kind of null that is not recognised as being "". However when I echoed
it to check there was nothing there.
>
I have been playing with isset but cant cant get the syntax.
>
if (isset($_POST['user_try'])){
lots of code goes here to kick off the page
after which then i can close the if statement
}
Header("Locatio n: whatever.php");
exit;
>
>
... But I am still missing something, greatfull for any help
Garry Jones
Sweden

**Garry Jones** · Oct 12 '06, 11:05 PM

Re: Stop user access

Thanks Mark.

I tried to adapt your code for my needs but something is misfiring and its
not allowing me into the page. I removed the session variable thing as I
have no need for them.

// the post with the user id
$scfchknum=$_PO ST['scfchknum'];

// the post with the user password
$scfchkpwd=$_PO ST['scfchkpwd'];

include("connec t to datbase php segment");

// my table is called scfmforening,
scfmnum is the field name with the user id number
scfpwd1 is the field name with the password

So here I assign $user to the table data scfmnum is the same as the user id
given by user

$user = mysql_query("SE LECT * FROM scfmforening WHERE scfmnum =
'$scfchknum'")o r die(mysql_error ());

// now the tricky bit that I dont really understand. It should check
password match.

while($info = mysql_fetch_arr ay($user) ) {
if ($scfchkpwd != $info["scfpwd1"]) {
die('Wrong userid or password!');
session_destroy ();
}
else {
echo "yes";
}
}

The page is not loaded correctly, roughly the sort of blank looking error as
when you omit a bracket or a semi colon.

Any ideas?

Garry Jones
Sweden

**Pedro Graca** · Oct 13 '06, 01:05 AM

Re: Stop user access

Garry Jones wrote:
[...]

So here I assign $user to the table data scfmnum is the same as the user id
given by user
>
$user = mysql_query("SE LECT * FROM scfmforening WHERE scfmnum =
'$scfchknum'")o r die(mysql_error ());
>
// now the tricky bit that I dont really understand. It should check
password match.

Are you sure the resource $user points to something with exactly 1
element?

if (($numrows = mysql_num_rows( $user)) == 1) {

while($info = mysql_fetch_arr ay($user) ) {
if ($scfchkpwd != $info["scfpwd1"]) {
die('Wrong userid or password!');
session_destroy ();
}
else {
echo "yes";
}
}

} else {
echo 'query returned ', $numrows, ' elements.';
}

You might want to increase the error reporting level of PHP.
Add

error_reporting (E_ALL);

to the top of your script, right after the first <?php tag.

--
File not found: (R)esume, (R)etry, (R)erun, (R)eturn, (R)eboot

**Garry Jones** · Oct 13 '06, 02:05 AM

Re: Stop user access

"Pedro Graca" <hexkid@dodgeit .comskrev i meddelandet
news:slrneitnn8 .4mo.hexkid@ID-203069.user.ind ividual.net...

>if ($scfchkpwd != $info["scfpwd1"]) {

Ahhh, sorry guys, thanks for your help.

My field name is actually "scfmpwd1"

:)

So now its working.

Garry Jones
Sweden

Stop user access

Stop user access

Comment

Comment

Comment

Comment

Comment

Comment

Comment