1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Password protect complete directories

Discussion in 'PHP' started by smatts9, Jul 12, 2006.

  1. #1
    Is there any easy way to password protect a complete directory? I have a DB full of user info, and one piece of info is the userlevel. I want it so that any user without a level of 3 unable to access a complete directory. What would be the easiest way of going about this? I have a cookie set for their userlevel when they login.

    <?php
    if ($_COOKIE["userlevel"] == 3)
    PASS
    else
    FAIL
    ?>

    Do I just echo""; the whole page where PASS is at?? I have mulitply areas on the webpage where I call php. So echo doesnt work, and the else is easy enough just trying to deal with the PASS part. Could I include at the top of every page this:

    <?php
    if ($_COOKIE["userlevel"] == 3)
    PASS


    and in a footer this:

    else
    FAIL
    ?>

    I am confused and looking for help, Thank you.
     
    smatts9, Jul 12, 2006 IP
    guerilla and bogart like this.
  2. mushroom

    mushroom Peon

    Messages:
    369
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Still working on this myself, so no real anwsers at this time.

    But I can tell you that your approch is not secure, client side security is easy to by-pass, use server side validation.

    Give your users a unique id (cookie) when they login and store the access level with the id server side.
     
    mushroom, Jul 12, 2006 IP
  3. penagate

    penagate Guest

    Messages:
    277
    Likes Received:
    17
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Hi,

    I am slightly confused about your question. You wish to password protect a directory, right? But this cannot be done using PHP - unless the only way to access said directory is through an PHP index page. In which case, simply use a common session-based login system.

    - P
     
    penagate, Jul 13, 2006 IP
  4. jnestor

    jnestor Peon

    Messages:
    133
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Along the lines of what penagate said ... we need to know what this "directory" that you speak of is. If you're talking about a directory that contains PHP pages the easiest way to go about it is to add code to the top of each page that checks that the user has permission and redirects to a login page/error page if they don't.

    If this is a directory of file for download or something similar you can do what you sort of imply in your initial post. Make an index.php that checks for permission and displays the directory contents if they have permission. That's not terribly secure however as anyone who had permission could easily post the links elsewhere and people who bypass your permission check and get at the files directly.

    If that's what you're attempting the better way is to move the files out of the directory entirely. Write a script that you can pass a filename (or id) that will check the permissions and echo the file back to the user. That way no direct access of the files is possible.
     
    jnestor, Jul 13, 2006 IP
  5. smatts9

    smatts9 Active Member

    Messages:
    1,089
    Likes Received:
    71
    Best Answers:
    0
    Trophy Points:
    88
    #5
    I am protecting a directory of php files. I use a session to track my users. The session holds the user's unique ID. I use the ID to access the rest of their information from a mySQL DB when needed, such as their userlevel. What kind of code would I put at the top of the page to check if they have a session? and if they dont it redirects them to a login page? I have been trying to do just that but seem to fail time and time again. THank you.
     
    smatts9, Jul 13, 2006 IP
  6. penagate

    penagate Guest

    Messages:
    277
    Likes Received:
    17
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Hi,

    session_start();
    
    if (isset($_SESSION['userid']))
    {
      // valid session
    }
    else
    {
      header('Location: login.php');
      exit();
    }
    
    PHP:
    Replace $_SESSION['userid'] with the appropriate variable index.

    Remember that you cannot output anything before calling header(). This means no echo()'s, no print() or print_r()'s, and no stray characters before the first opening <?php tag.

    Regards
    - P
     
    penagate, Jul 13, 2006 IP
  7. smatts9

    smatts9 Active Member

    Messages:
    1,089
    Likes Received:
    71
    Best Answers:
    0
    Trophy Points:
    88
    #7
    So am I limited to just including a different page is successful? That is what I currently do, what do you do to prevent people from just going directly to the included file and bypassing the login?
     
    smatts9, Jul 14, 2006 IP
    bogart likes this.
  8. jnestor

    jnestor Peon

    Messages:
    133
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    0
    #8
    You'll want to put that code at the top of each page in the directory.

    Are you saying that your pages just include another file that has the entire contents of the page? Not sure why you'd want to do that. Normally no one will be able to see your included files since those filenames are never sent to the client. If you want to secure them though just place them outside your docroot (normally your public_html directory). That way no one could possibly access the included files directly.
     
    jnestor, Jul 14, 2006 IP
  9. smatts9

    smatts9 Active Member

    Messages:
    1,089
    Likes Received:
    71
    Best Answers:
    0
    Trophy Points:
    88
    #9
    I use that code posted above but unable to use any html? I try and echo in my page but keep getting parse errors?
     
    smatts9, Jul 14, 2006 IP
  10. coderlinks

    coderlinks Peon

    Messages:
    282
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    #10
    coderlinks, Jul 22, 2006 IP
  11. digitalhaven

    digitalhaven Peon

    Messages:
    73
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Can't you just use Cpanel to do that? my cpanel can.
     
    digitalhaven, Jul 22, 2006 IP
  12. EmpyreanZero

    EmpyreanZero Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    How would I link to a file outside the directory root?

    My domain is: example.com
    My full path is: /hsphere/local/home/user1/example.com
    If I try to link to: /hsphere/local/home/user1/file1.xls
    The server just transforms it into: example.com/hsphere/local/home/user1/file1.xls
     
    EmpyreanZero, Aug 12, 2007 IP