Hello, I am trying to password protect a website that i am making, and have successfully done so using zubrags password protect script. I want to slightly modify the script so that depending on what password a user enters, a different version of the site will be displayed. My knowledge of PHP (unfortunately) is fairly limited, i can decipher code and write a little, but cannot work out how to successfully implement what i want to achieve. From Zubrags script i do not use a username, simply a password. This is the script i currently use for logging in to the website which works succesfully. <?php ############################################################### # Page Password Protect 2.13 ############################################################### # Visit http://www.zubrag.com/scripts/ for updates ############################################################### # # Usage: # Set usernames / passwords below between SETTINGS START and SETTINGS END. # Open it in browser with "help" parameter to get the code # to add to all files being protected. # Example: password_protect.php?help # Include protection string which it gave you into every file that needs to be protected # # Add following HTML code to your page where you want to have logout link # <a href="http://www.example.com/path/to/protected/page.php?logout=1">Logout</a> # ############################################################### /* ------------------------------------------------------------------- SAMPLE if you only want to request login and password on login form. Each row represents different user. $LOGIN_INFORMATION = array( 'zubrag' => 'root', 'test' => 'testpass', 'admin' => 'passwd' ); -------------------------------------------------------------------- SAMPLE if you only want to request only password on login form. Note: only passwords are listed $LOGIN_INFORMATION = array( 'root', 'testpass', 'passwd' ); -------------------------------------------------------------------- */ ################################################################## # SETTINGS START ################################################################## // Add login/password pairs below, like described above // NOTE: all rows except last must have comma "," at the end of line $LOGIN_INFORMATION = array( 'password1', 'password2' ); // request login? true - show login and password boxes, false - password box only define('USE_USERNAME', false); // User will be redirected to this page after logout define('LOGOUT_URL', 'http://www.example.com/'); // time out after NN minutes of inactivity. Set to 0 to not timeout define('TIMEOUT_MINUTES', 10); // This parameter is only useful when TIMEOUT_MINUTES is not zero // true - timeout time from last activity, false - timeout time from login define('TIMEOUT_CHECK_ACTIVITY', true); ################################################################## # SETTINGS END ################################################################## /////////////////////////////////////////////////////// // do not change code below /////////////////////////////////////////////////////// // timeout in seconds $timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60); // logout? if(isset($_GET['logout'])) { setcookie("verify", '', $timeout, '/'); // clear password; header('Location: ' . LOGOUT_URL); exit(); } if(!function_exists('showLoginPasswordProtect')) { // show login form function showLoginPasswordProtect($error_msg) { ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="CACHE-CONTROL" content="NO-CACHE"> <meta http-equiv="PRAGMA" content="NO-CACHE"> <meta name="robots" content="noindex" /> <title>page</title> <link href="style.css" rel="stylesheet" type="text/css" /> <link href="fonts.css" rel="stylesheet" type="text/css" /> <link href="scripts/style.css" rel="stylesheet" type="text/css" /> <link href="scripts/fonts.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="errorholder"> <h1>veuillez entrer le mot de passe <br/> pour acceder a ce site</h1><br/> <form name="form" method="post"> <p class="bluetext"><?php echo $error_msg; ?> </p> <input type="password" title="password" name="access_password" /></p><br/> <p><input type="submit" name="submit" value="Valider" /></p> </form> </div> </body> </html> <?php // stop at this point die(); } } // user provided password if (isset($_POST['access_password'])) { $login = isset($_POST['access_login']) ? $_POST['access_login'] : ''; $pass = $_POST['access_password']; if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION) || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) ) { showLoginPasswordProtect("Saisie incorrecte"); } else { // set cookie if password was validated setcookie("verify", md5($login.'%'.$pass), $timeout, '/'); // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed // So need to clear password protector variables unset($_POST['access_login']); unset($_POST['access_password']); unset($_POST['Submit']); } } else { // check if password cookie is set if (!isset($_COOKIE['verify'])) { showLoginPasswordProtect(""); } // check if cookie is good $found = false; foreach($LOGIN_INFORMATION as $key=>$val) { $lp = (USE_USERNAME ? $key : '') .'%'.$val; if ($_COOKIE['verify'] == md5($lp)) { $found = true; // prolong timeout if (TIMEOUT_CHECK_ACTIVITY) { setcookie("verify", md5($lp), $timeout, '/'); } break; } } if (!$found) { showLoginPasswordProtect(""); } } ?> PHP: This php script is accessed from an include at the top of home.php and the password is entered from my index.html which has a form with an action of 'home.php' From what i can gather i need to include some condional statements so that depending on what password is entered, something else will happen. I think the code below should work, however i have no idea how or where to include it. switch($result2)[0]{ case $_POST='password1': header("location: home1.php"); break; case $_POST='password2': header("location: home2.php"); break; } }else { //Login failed header("location: login-failed.php"); exit(); } } PHP: I know it is a big ask, but if anyone can point me in the right direction i would be ever so grateful! Kind regards Matt
rather than use the header("location: ") type stuff, id suggest using require(file location) or include(file location), and hiding the hidden files in a protected directory. That way it is much harder for someone to just go to /home1.php and see your protected stuff. Do like /protected/ and then do some .htaccess rules to protect it with an obscenely long password, then allow php to call the scripts from the require() or include() functions thus protecting your stuff alot more. Also, this should work better than your switch function to protect files.. If you aren't storing the passwords in a db and want to just switch the protected file via password, use this: if ($_POST['password'] == 'password1') { require('protected/home1.php'); }elseif ($_POST['password'] == 'password2') { require('protected/home2.php'); }else{ require('protected/login-failed.php'); } Code (markup):
At least hash the passwords, so the code would be more if(openssl_digest($_POST['password'], 'sha512') == '416b1861951170e1f6eb6543b0dd3d4f1994ce8da7cd82061513d3ddd1dd81111f4ada5caf6421f1d17425c6f29bdb4a95cf84df9eda4164f5a762acbb490a68') { Code (markup): Then at least if someone did manage to get your file, they wouldn't get your password. The password you have to enter isn't that long string - the string is the sha512 hash of the password. (The password in this case was 'glop' and there's no way to get that from the hash.)
There is a simpler way to protect a website by the password. In .htaccess: In .htpasswd: Where 129ac742a72d2cca7fcadd5f9ba6745a is a md5-hash of your password.