RE: [PHP] How to keep unauthorized viewers out
Correction:
Inside X.php, you have some authentication code. Maybe something simple as:
?
if (!$valid) {
// redirect to story.php?storynum=X
}
// rest of article follows
?
-Ben
-Original Message-
From: Benjamin Munoz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 16, 2001 4:20 PM
To: 'Miles Thompson'; [EMAIL PROTECTED]
Subject: RE: [PHP] How to keep unauthorized viewers out
Miles,
If you can save 2.htm as 2.php, use some authentication code.
Story.php becomes
?
include "auth.inc";
include "header.inc";
include $storynum.".php";
include "footer.inc";
?
Inside X.php, you have some authentication code. Maybe something simple as:
?
if ($valid) {
// redirect to story.php?storynum=X
}
// rest of article follows
?
Inside story.php, set $valid to true
?
$valid = TRUE;
?
Now accessing 2.php directly means that $valid is valid and you'll be
redirected to story.php.
Another option is to place all stories x.php into a story directory and
restrict access to this directory using Apache configuration directives.
-Ben
-Original Message-
From: Miles Thompson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 16, 2001 3:49 PM
To: [EMAIL PROTECTED]
Subject: [PHP] How to keep unauthorized viewers out
I'm using a pretty simple linking system for a subscription-based
newsletter site.
Stories and articles are in straight html files, reached by links from the
front page. Clicking on a link passes a story number. So the second story
on the index page would have this link: A HREF="./story.php?storynum=2"
and story.php consists of just these lines:
? include "auth.inc" ;
include "header.inc" ;
include $storynum.".htm" ;
include "footer.inc" ;
?
If someone comes in the "right way", through the index page, they will have
to be authenticated, then the header, article and page footer are displayed.
There's nothing, however, to stop someone from typing an URL like this:
http://www.somepub.ca/2.htm and seeing the article. I assume they could
also come in that way via a search engine.
Any suggestions on how to stop that? Resources I should look at? I do want
to keep the stories in straight html as the editor is struggling now with
basic layout, etc.
Regards - Miles Thompson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] How to keep unauthorized viewers out
I would put it in the subsequent include page.
if($PHP_AUTH_USER)
{
includes();
}
else
{
print("You are not authorized to view this page");
}
---
.:: Nathan Cook- Network/Security Admin
office: 208.343.3110 - Web Programmer
email: [EMAIL PROTECTED] - Qmail Admin
pager: 208.387.9983 - MIS Admin
---
- Original Message -
From: "Miles Thompson" [EMAIL PROTECTED]
To: "Nathan Cook" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, January 16, 2001 5:13 PM
Subject: Re: [PHP] How to keep unauthorized viewers out
Nathan,
Thanks for your reply ...
At 04:53 PM 01/16/2001 -0700, Nathan Cook wrote:
how do they authenticate? VIA http or a subsequent page?
HTTP authentication,using
Header("WWW-authenticate: basic realm=\"Business Today\"")
Whichever it is, there are variables associated with each check for those
variables before loading.
Yes I'm using $PHP_AUTH_USER and $PHP_AUTH_PW. But I can only check for
those within a script, not in a straight HTML page. (Although I suppose I
could change all the page extensions to .php and put a check for these
var's at the very top and redirect to the login script if they are not
present.)
Alternately, I suppose I could create a session ID, following a successful
login. I really don't want to invoke .htaccess.
Miles
---
.:: Nathan Cook- Network/Security Admin
office: 208.343.3110 - Web Programmer
email: [EMAIL PROTECTED] - Qmail Admin
pager: 208.387.9983 - MIS Admin
---
- Original Message -
From: "Miles Thompson" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, January 16, 2001 4:49 PM
Subject: [PHP] How to keep unauthorized viewers out
I'm using a pretty simple linking system for a subscription-based
newsletter site.
Stories and articles are in straight html files, reached by links from
the
front page. Clicking on a link passes a story number. So the second
story
on the index page would have this link: A
HREF="./story.php?storynum=2"
and story.php consists of just these lines:
? include "auth.inc" ;
include "header.inc" ;
include $storynum.".htm" ;
include "footer.inc" ;
?
If someone comes in the "right way", through the index page, they will
have
to be authenticated, then the header, article and page footer are
displayed.
There's nothing, however, to stop someone from typing an URL like
this:
http://www.somepub.ca/2.htm and seeing the article. I assume they
could
also come in that way via a search engine.
Any suggestions on how to stop that? Resources I should look at? I do
want
to keep the stories in straight html as the editor is struggling now
with
basic layout, etc.
Regards - Miles Thompson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail:
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] How to keep unauthorized viewers out
A dummy idea: in story.php you put a key in: ? include "auth.inc" ; include "header.inc" ; unset($key); $key = 'BHEKFBSA"IjsjbdshlycgewypH:*:YEWCnbms'; include $storynum.".htm" ; include "footer.inc" ; ? then key.php will have this: if($key != 'BHEKFBSA"IjsjbdshlycgewypH:*:YEWCnbms';) Exit; then in every file you wish to protect include key.php and the articles will show up only in case it was included, or someone knew what to type in the URL... another idea, might not be suitable for you, but would be much smarter: is to pass-protect the directory with articles (it HAS to be a different directory from the story.php) the article will then be still shown under the password or when only included by PHP... there's a whole bunch of ways to do what you're asking ... Cheers, Maxim Maletsky .. -Original Message- From: Miles Thompson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 17, 2001 8:49 AM To: [EMAIL PROTECTED] Subject: [PHP] How to keep unauthorized viewers out I'm using a pretty simple linking system for a subscription-based newsletter site. Stories and articles are in straight html files, reached by links from the front page. Clicking on a link passes a story number. So the second story on the index page would have this link: A HREF="./story.php?storynum=2" and story.php consists of just these lines: ? include "auth.inc" ; include "header.inc" ; include $storynum.".htm" ; include "footer.inc" ; ? If someone comes in the "right way", through the index page, they will have to be authenticated, then the header, article and page footer are displayed. There's nothing, however, to stop someone from typing an URL like this: http://www.somepub.ca/2.htm and seeing the article. I assume they could also come in that way via a search engine. Any suggestions on how to stop that? Resources I should look at? I do want to keep the stories in straight html as the editor is struggling now with basic layout, etc. Regards - Miles Thompson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
