Sunday, 15 March 2015

html - How to prevent user from bypassing php authentication -


We call it html1 for simplicity.

When a user goes to html1, a login2.php login page is a hidden page to enable access to Client.php.

This then goes to checklogin.php ... if matches the password and username ... then it goes to the hidden client php page ... if not..this on the homepage Goes back.

The user has to be able to see the contents of the hidden client.fp page.

However the user can type in address.php .... client.php at / address.php ... so bypassing the eighth page and rendering it useless. I can just type servername / client.php ... and it still shows me the contents of client.php ... but i want client.php ... be private!

How

Thanks

The first login page ... 

  & lt; Html & gt; & Lt; Top & gt; & Lt; Title & gt; Admission form & lt; / Title & gt; & Lt; / Head & gt; & Lt; Body & gt; & Lt; H2 & gt; Admission form & lt; / H2 & gt; & Lt; Table & gt; & Lt; Form method = "post" action = "checklogin2.php" & gt; & Lt; Div id = "name" & gt; User ID: & lt; Input type = "text" name = "****" & gt; & Lt; / Div & gt; & Lt; Div id = "password" & gt; Password: & lt; Input type = "password" name = "*******" & gt; & Lt; / Div & gt; & Lt; Div class = "button" & gt; & Lt; Input type = "submit" value = "login" & gt; & Lt; / Div & gt; & Lt; / Form & gt; & Lt; / Table & gt; & Lt; / Body & gt; & Lt; / Html & gt;

Then it gets ... checklogin2.php

Then it goes ... safepage.php 

   
 
 At the beginning of each of your pages you will need to check whether the user is authorized or not. 
 
  checklogin.php  if the user has entered the correct login and password, just set something 
 
  $ _ session ['authorized' ] = True; Just check that the user is authorized:  
  if (isset ($ _ session ['authorized']) and < Amp;; $ _SESSION ['Authorized'] === true) {// OK, let's show all the hidden functionality! Echo "Psst! Hey! Want to buy some weed?"; } Else {// User is not authorized! Header ('location: login.php'); Go out(); }  
 
 Note that you do not need to mess with cookies, session IDs etc. - just add  session_start ()  before everything else and freely < Use code> $ _SESSION  var 
 
 This is the main supporter of sessions (and especially  $ _ session  variables): You can remember  some data between different pages on the same website.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)