开发者

deny http access to the directory, but allow internal server access

First off I want to start off saying that I don't know anything about PHP so I would appreciate all the help I can get. So I have a website hosted on godaddy where I upload files for my clients. With the help of a friend I made a simple login system with usernames and passwords. The problem is that although the websites can't be accessed without inputting the username and password, the files suchs as .jpg can be accessed by directly inputting the full link in the browser. I want it to be so that the only way the files are accessed through the user webpage. Also I want each user to be able to access only their own files and not the others. So here is my code and if there are any additional changes that need to be made to avoid hacking I will greatly appreciate the input.

index.php file code for the form that is being used to input username and password:

<form name="form1" method="post" action="checklogin.php">
            <div class="lefts">
            <p>Login:</p>
            <p>Password:</p>
            </div>

            <div>
            <input name="myusername" type="text" id="myusername" />
            <input name="mypassword" type="password" id="mypassword" />
            </div>

        <div><input type="image" name="Submit" id="submit" value="Login" src="images/submitOff.png" /></div>
</form>

checklogin.php: (if correct username and password is entered, it goes to the username webpage. if not it goes to the wrong username or password webpage

<?php
ob_start();
session_start();
$host="hostname"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="dbnamey"; // Database name
$tbl_name="tablename"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT username FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

//returns false if no results returned
$row = mysql_fetch_row($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($row){
// Register $myusername, $mypassword and redirect to file
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
$myPage = $myusername.".php";
$_SESSION["myPage"] = $myPage;

header("location:".$myPage);
}
else {
hea开发者_如何学编程der("location:index2.php");
}

ob_end_flush();
?>

username1.php: (webapge for user that contains files)

<?
session_start();
if(
//!session_is_registered(myusername)
    !isset($_SESSION["myusername"]) ||
    $_SESSION["myPage"] != basename($_SERVER['REQUEST_URI'])
){
header("location:index.php");
}
?>

<html>
//content that consist of links to the files
<a href="ready/username1/file.png">Png 1</a>
</html>


The security of this script is very bad. You aren't hashing passwords. The header() allows you to add an element to the HTTP response header. THE SCRIPT STILL EXECUTES., you are not preventing access to anything. Furhter more, mysql_real_escape_string() does everything that addslashes() does and more. Doing both just tells people that you don't know what either of them does. You must start using parametrized quires with ADODB or the PDO libraries.

Use an .htaccess file to prevent accesss

Order deny, allow
Deny from all
Allow from localhost
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜