Web Design Forums

captain caveman · 08-11-2006, 04:03

I have a quick question...

I've got a webcam set up which uploads images via ftp to my site, however I need the page which displays this to be password protected.
I've used a simple login script:

Code:

<body>
<?php

// Define your username and password
$username = "user1";
$password = "pass1";

if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {

?>
<p>
<br />
<h4>T&T Communications Workshop Camera Login</h4>
</p>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<div align="center">
<center>
<table border="0" cellpadding="5" cellspacing="0">
<tr>
<td><p>Username</p>
</td>
<td><input class="password" "type="text" title="Enter your Username" name="txtUsername" /></td>
</tr>
<tr>
<td><p>Password</p>
</td>
<td><input class="password" type="password" title="Enter your password" name="txtPassword" /></td>
</tr>
</table>
</center>
</div>
<p align="center"><input type="submit" name="Submit" value="Login" /></p>
</form>

<?php
}
else {
?>

HTML GOES HERE

<?php
}
?> 

</body>

It's quite important that this is very secure - my question is, how secure would this be? I'm guessing not hugely...

If so has anybody got any suggestions of how to improve the security (prefferably without a great deal of work or expense!).

Thanks.

cam · 08-11-2006, 04:18

Why not just use HTTP auth? That's what it's there for after all.

Quick google turned up this little tutorial.

captain caveman · 08-11-2006, 08:01

Ok will try that, thanks.

captain caveman · 08-11-2006, 10:20

Unfortunately my web hosting provider doesn't seem to be allowing .htaccess (don't fully understand why as it's not been me dealing with them). Does anybody have any other ideas?

Also can anybody explain what are the actual security issues involved with my previous php password protection?

karnetics · 10-11-2006, 10:23

PHP Code:


		
			
//this would be the path to your login script

if ($_SERVER['REQUEST_METHOD'] == 'POST') {



//Place your username & password in a seperate file 

//then use require() function to include it into your 

//loginscript file.  If an attacker grabs your loginscript file

//they will still have to did for your username & password.



// Define your username and password



//first check to make sure our fields are not empty

//if your fields are empty, set $error = "Your error messege"

//echo $error;





//Then your check to see if the username and password match 

//if username & password != $username & $password

//set $error and echo it.

//else goto main page.

//use header(); to go to main page



//make sure you use @ signs at the begining of your vars, example: @$error,

//if turns off error message, prevent people from seeing to location of your file and script name.

}

<p>
<br />
<h4>T&T Communications Workshop Camera Login</h4>
</p>
<form name="form" method="post" action="<?php $GoToLoginScript; ?>">
<div align="center">
<center>
<table border="0" cellpadding="5" cellspacing="0">
<tr>
<td><p>Username</p>
</td>
<td><input class="password" "type="text" title="Enter your Username" name="txtUsername" /></td>
</tr>
<tr>
<td><p>Password</p>
</td>
<td><input class="password" type="password" title="Enter your password" name="txtPassword" /></td>
</tr>
</table>
</center>
</div>
<p align="center"><input type="submit" name="Submit" value="Login" /></p>
</form>

08-11-2006, 04:18	#2 (permalink)
cam vague™ Join Date: Mar 2004 Location: Glasgow Posts: 5,365	Why not just use HTTP auth? That's what it's there for after all. Quick google turned up this little tutorial. __________________ Random goodness at The Blog™

10-11-2006, 10:23	#5 (permalink)
karnetics Registered User Join Date: Nov 2006 Posts: 7	PHP Code: //this would be the path to your login script if ($_SERVER['REQUEST_METHOD'] == 'POST') { //Place your username & password in a seperate file //then use require() function to include it into your //loginscript file. If an attacker grabs your loginscript file //they will still have to did for your username & password. // Define your username and password //first check to make sure our fields are not empty //if your fields are empty, set $error = "Your error messege" //echo $error; //Then your check to see if the username and password match //if username & password != $username & $password //set $error and echo it. //else goto main page. //use header(); to go to main page //make sure you use @ signs at the begining of your vars, example: @$error, //if turns off error message, prevent people from seeing to location of your file and script name. } <p> <br /> <h4>T&T Communications Workshop Camera Login</h4> </p> <form name="form" method="post" action="<?php $GoToLoginScript; ?>"> <div align="center"> <center> <table border="0" cellpadding="5" cellspacing="0"> <tr> <td><p>Username</p> </td> <td><input class="password" "type="text" title="Enter your Username" name="txtUsername" /></td> </tr> <tr> <td><p>Password</p> </td> <td><input class="password" type="password" title="Enter your password" name="txtPassword" /></td> </tr> </table> </center> </div> <p align="center"><input type="submit" name="Submit" value="Login" /></p> </form>

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

08-11-2006, 08:01	#3 (permalink)
captain caveman Registered User Join Date: Jun 2006 Posts: 44	Ok will try that, thanks.

08-11-2006, 10:20	#4 (permalink)
captain caveman Registered User Join Date: Jun 2006 Posts: 44	Unfortunately my web hosting provider doesn't seem to be allowing .htaccess (don't fully understand why as it's not been me dealing with them). Does anybody have any other ideas? Also can anybody explain what are the actual security issues involved with my previous php password protection?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)