php instead of htaccess

perficut · August 30, 2007, 12:21pm

I’m new to programming, and have been working with htaccess to secure a directory of mine. File access and that works fine, but I was trying to use the USER:[email protected] format to pass the user login info from a form to the htaccess page to eliminate the popup box.

Unfortunately I can not get this to work with explorer6 or explorer7. I have tried on two different machines. It works fine with netscape. Explorer returns either “windows can not find … check the spelling and try again.” The other minor problem I having is the redirect if the incorrect login info is entered 3 times. It directs to the correct page i have set in htaccess, but it seems the page only loads partially then the popup box comes back. Hit cancel, it loads a little more then the popup box comes back… keeps doing this until the page loads completely.

Anyhow…

I would prefer to use mysql database to store user id and pw and use php to access this info. How can I secure my directory with php instead of htaccess?

Q1712 · August 30, 2007, 3:14pm

the problem with using the user@url with some browsers is a know issue.

it was added as a securety feature as a lot of fishing-mails uses this to make a url look diffrent:

http://[email protected]/rebui … r-pass.php

about using php to do the login:

basic u need a table with the an id, the username and the password (maybe md5 encoded).
then u have to make a html-form to enter the username and password.
and then u need sessions to keep the user info.

i would use a include file doing all of this, beeing included on every side.
[php]session_start();
$loggin_error=’’;

//u may put a logout link somewhere (index.php?logout=logout)
//check if logging out
if(isset($_GET[‘loggout’]))
{
die(
‘’
.‘Loggout’
.’’
.‘

loggout sucsessfull

’
.‘

back to the homepage

’
.’’
.’’
);
}

//check if logged in
if(isset($_SESSION[‘user’])){return;}

//check if form submitted
if(isset($_POST[‘username’])
{
//establish the mysqlconection
mysql_connect(/* host user pass /) or die(mysql_error());
mysql_selectdb(/ database */) or die(mysql_error());

//check user and pass
if(@mysql_fetch_assoc(@mysql_query(‘SELECT * FROM users WHERE user="’.mysql_escape_string($_POST[‘username’]).’" AND pass="’.md5($_POST[‘password’]).’"’)))
{
$_SESSION[‘user’]=$_POST[‘username’];
return;
}
else $loggin_error=‘login faild’;
}

//if not already logged in or wrong username or wrong password display login form:
die(
‘’
.‘Loggin’
.’’
.’’
.’

’.$loggin_error.’

’
.‘

username:

’
.‘

password:

’
.’

’
.’’
.’’
.’’
);[/php]modify it so that it will work for u (i havn’t tryed to run it)

if u include it at the top of ur sides they will never be executed/displayd without loggin (because of the die)

perficut · August 30, 2007, 10:33pm

Thanks for the reply.

I currently have registration form which stores various user information in mysql data file. I will be using their last name as the ID and of course some password of their choosing.

I just need to figure out how to go about securing html and php files within my private directory. And allowing only those registered users to enter using thier ID and PW. By the way, none of this data is critical or top secret. I just want to be able to provide certain information to members only.

I will look over the code you provided to see if this will help. If you or anyone else has any other suggestions, please feel free.

Thank you again.