开发者

Password protect a page without db access with php

问答 作者:

Is it possible to password protect a page without db access? I may have only few pages. But I should be able to change pa开发者_Python百科ssword and also save sessions etc. And I want a secure way as it's for production site!

How is it to store in a config.php after md5:

 <?php
 username="admin"; 
 password="1a1dc91c907325c69271ddf0c944bc72";
 ?>

If this is a good idea, is there a way to restrict access to this php from only one script called check.php or something?

Sure, why not? You can use flat files in inaccessible directory (protected by .htaccess or out of the www root) and use that as a database.

Here's a simple login class I've whipped up:

class SimpleLogin {

    private $users;
    private $db = './pass.txt';

    function __construct() {
        $data = file_get_contents($this->db);

        if (!$data) {
           die('Can\'t open db');
        } else {
            $this->users = unserialize($data);
        }
    }

    function save() {
        if (file_put_contents($this->db, serialize($this->users)) === false)
            die('Couldn\'t save data');
    }

    function authenticate($user, $password) {
        return $this->users[$user] == $this->hash($password);
    }

    function addUser($user, $password) {
        $this->users[$user] = $this->hash($password);
        $this->save();
    }

    function removeUser($user) {
        unset($this->users[$user]);
        $this->save();
    }

    function userExists($user) {
        return array_key_exists($user, $this->users);
    }

    function userList() {
        return array_keys($this->users);
    }

    // you can change the hash function and salt here
    function hash($password) {
        $salt = 'jafo2ijr02jfsau02!)U(jf';
        return sha1($password . $salt);
    }

}

NOTE: You really should turn off error reporting if you are going to use this in an actual server. This can be done by calling error_reporting() or by adding '@' in front of file_get_contents and file_put_contents (ie: so it turns into @file_get_contents)

Usage example: http://left4churr.com/login/

You should use .htaccess to do that. You also can protect by .htaccess your sensible php files, with something like :

Order Allow,Deny
Deny from All

You could use HTTP authentication with PHP. Very good examples present in PHP-docu.

Actually a database have nothing to do with password protection.
you can write login and password directly in your script as well as keeping in in the database.

There is no need in restricting access to your php file. Being called over HTTP, it will be just blank page and nothing more.

So, it's all right to store it that way.
Quite enough for the site that even don't use a database.

继续阅读:authenticationdatabasepassword-protectionphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9