RE: [PHP] How to keep unauthorized viewers out
Correction: Inside X.php, you have some authentication code. Maybe something simple as: ? if (!$valid) { // redirect to story.php?storynum=X } // rest of article follows ? -Ben -Original Message- From: Benjamin Munoz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 4:20 PM To: 'Miles Thompson'; [EMAIL PROTECTED] Subject: RE: [PHP] How to keep unauthorized viewers out Miles, If you can save 2.htm as 2.php, use some authentication code. Story.php becomes ? include "auth.inc"; include "header.inc"; include $storynum.".php"; include "footer.inc"; ? Inside X.php, you have some authentication code. Maybe something simple as: ? if ($valid) { // redirect to story.php?storynum=X } // rest of article follows ? Inside story.php, set $valid to true ? $valid = TRUE; ? Now accessing 2.php directly means that $valid is valid and you'll be redirected to story.php. Another option is to place all stories x.php into a story directory and restrict access to this directory using Apache configuration directives. -Ben -Original Message- From: Miles Thompson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 16, 2001 3:49 PM To: [EMAIL PROTECTED] Subject: [PHP] How to keep unauthorized viewers out I'm using a pretty simple linking system for a subscription-based newsletter site. Stories and articles are in straight html files, reached by links from the front page. Clicking on a link passes a story number. So the second story on the index page would have this link: A HREF="./story.php?storynum=2" and story.php consists of just these lines: ? include "auth.inc" ; include "header.inc" ; include $storynum.".htm" ; include "footer.inc" ; ? If someone comes in the "right way", through the index page, they will have to be authenticated, then the header, article and page footer are displayed. There's nothing, however, to stop someone from typing an URL like this: http://www.somepub.ca/2.htm and seeing the article. I assume they could also come in that way via a search engine. Any suggestions on how to stop that? Resources I should look at? I do want to keep the stories in straight html as the editor is struggling now with basic layout, etc. Regards - Miles Thompson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] How to keep unauthorized viewers out
I would put it in the subsequent include page. if($PHP_AUTH_USER) { includes(); } else { print("You are not authorized to view this page"); } --- .:: Nathan Cook- Network/Security Admin office: 208.343.3110 - Web Programmer email: [EMAIL PROTECTED] - Qmail Admin pager: 208.387.9983 - MIS Admin --- - Original Message - From: "Miles Thompson" [EMAIL PROTECTED] To: "Nathan Cook" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, January 16, 2001 5:13 PM Subject: Re: [PHP] How to keep unauthorized viewers out Nathan, Thanks for your reply ... At 04:53 PM 01/16/2001 -0700, Nathan Cook wrote: how do they authenticate? VIA http or a subsequent page? HTTP authentication,using Header("WWW-authenticate: basic realm=\"Business Today\"") Whichever it is, there are variables associated with each check for those variables before loading. Yes I'm using $PHP_AUTH_USER and $PHP_AUTH_PW. But I can only check for those within a script, not in a straight HTML page. (Although I suppose I could change all the page extensions to .php and put a check for these var's at the very top and redirect to the login script if they are not present.) Alternately, I suppose I could create a session ID, following a successful login. I really don't want to invoke .htaccess. Miles --- .:: Nathan Cook- Network/Security Admin office: 208.343.3110 - Web Programmer email: [EMAIL PROTECTED] - Qmail Admin pager: 208.387.9983 - MIS Admin --- - Original Message - From: "Miles Thompson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, January 16, 2001 4:49 PM Subject: [PHP] How to keep unauthorized viewers out I'm using a pretty simple linking system for a subscription-based newsletter site. Stories and articles are in straight html files, reached by links from the front page. Clicking on a link passes a story number. So the second story on the index page would have this link: A HREF="./story.php?storynum=2" and story.php consists of just these lines: ? include "auth.inc" ; include "header.inc" ; include $storynum.".htm" ; include "footer.inc" ; ? If someone comes in the "right way", through the index page, they will have to be authenticated, then the header, article and page footer are displayed. There's nothing, however, to stop someone from typing an URL like this: http://www.somepub.ca/2.htm and seeing the article. I assume they could also come in that way via a search engine. Any suggestions on how to stop that? Resources I should look at? I do want to keep the stories in straight html as the editor is struggling now with basic layout, etc. Regards - Miles Thompson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] How to keep unauthorized viewers out
A dummy idea: in story.php you put a key in: ? include "auth.inc" ; include "header.inc" ; unset($key); $key = 'BHEKFBSA"IjsjbdshlycgewypH:*:YEWCnbms'; include $storynum.".htm" ; include "footer.inc" ; ? then key.php will have this: if($key != 'BHEKFBSA"IjsjbdshlycgewypH:*:YEWCnbms';) Exit; then in every file you wish to protect include key.php and the articles will show up only in case it was included, or someone knew what to type in the URL... another idea, might not be suitable for you, but would be much smarter: is to pass-protect the directory with articles (it HAS to be a different directory from the story.php) the article will then be still shown under the password or when only included by PHP... there's a whole bunch of ways to do what you're asking ... Cheers, Maxim Maletsky .. -Original Message- From: Miles Thompson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 8:49 AM To: [EMAIL PROTECTED] Subject: [PHP] How to keep unauthorized viewers out I'm using a pretty simple linking system for a subscription-based newsletter site. Stories and articles are in straight html files, reached by links from the front page. Clicking on a link passes a story number. So the second story on the index page would have this link: A HREF="./story.php?storynum=2" and story.php consists of just these lines: ? include "auth.inc" ; include "header.inc" ; include $storynum.".htm" ; include "footer.inc" ; ? If someone comes in the "right way", through the index page, they will have to be authenticated, then the header, article and page footer are displayed. There's nothing, however, to stop someone from typing an URL like this: http://www.somepub.ca/2.htm and seeing the article. I assume they could also come in that way via a search engine. Any suggestions on how to stop that? Resources I should look at? I do want to keep the stories in straight html as the editor is struggling now with basic layout, etc. Regards - Miles Thompson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]