protect directory php script
hi guys, i have a site which is protected using php and stored username and passwords in mysql database. is there a script which will protect a directory and run off the mysql database username and password as opposed to just a standard htaccess file? help urgently need for this site. thanks
- 7 Contributors
- 12 Replies
- 5K Views
- 4 Years Discussion Span
- Latest Post 7 Years Ago Latest Post by Renu_5
Recommended Answers Collapse Answers
Use .htaccess to direct everything to the PHP file. Validate and then display the folder contents using the PHP file.
Hi mrhankey,
Are you able to move the location of the folder to somewhere above the root level? This way the folder will not be accessible via a browser but your scripts can still access them.
here is a really great script to protect your directory. you can change the
$LOGIN_INFORMATION array to read in all of your records from your db or at least authenticate against that instead of an internally stored list in the script. anyway, I have used this for over a year …
All 12 Replies
Use .htaccess to direct everything to the PHP file. Validate and then display the folder contents using the PHP file.
thanks however my hosting company does not have the mysql auth module installed for htaccess so htaccess is out the question. i need a script that can protect the directory. it has images and pdf’s inside it. any help please?
Hi mrhankey, Are you able to move the location of the folder to somewhere above the root level? This way the folder will not be accessible via a browser but your scripts can still access them.
here is a really great script to protect your directory. you can change the
$LOGIN_INFORMATION array to read in all of your records from your db or at least authenticate against that instead of an internally stored list in the script. anyway, I have used this for over a year and never had any problems with it. you just include the script on the page you want to protect.
" data-bs-template=" ">http://www.zubrag.com/scripts/ for updates ############################################################### # # Usage: # Set usernames / passwords below between SETTINGS START and SETTINGS END. # Open it in browser with "help" parameter to get the code # to add to all files being protected. # Example: password_protect.php?help # Include protection string which it gave you into every file that needs to be protected # # Add following HTML code to your page where you want to have logout link # http://www.example.com/path/to/protected/page.php?logout=1">Logout # ############################################################### /* ------------------------------------------------------------------- SAMPLE if you only want to request login and password on login form. Each row represents different user. $LOGIN_INFORMATION = array( 'zubrag' => 'root', 'test' => 'testpass', 'admin' => 'passwd' ); -------------------------------------------------------------------- SAMPLE if you only want to request only password on login form. Note: only passwords are listed $LOGIN_INFORMATION = array( 'root', 'testpass', 'passwd' ); -------------------------------------------------------------------- */ ################################################################## # SETTINGS START ################################################################## // Add login/password pairs below, like described above // fill in the Login_information with the users and passwords from your database. // NOTE: all rows except last must have comma "," at the end of line $LOGIN_INFORMATION = array( 'notadmin' => 'notadmin', 'admin' => 'admin' ); // request login? true - show login and password boxes, false - password box only define('USE_USERNAME', true); // User will be redirected to this page after logout define('LOGOUT_URL', 'http://beatricedailysun.com/app/bwoty/'); // time out after NN minutes of inactivity. Set to 0 to not timeout define('TIMEOUT_MINUTES', 0); // This parameter is only useful when TIMEOUT_MINUTES is not zero // true - timeout time from last activity, false - timeout time from login define('TIMEOUT_CHECK_ACTIVITY', true); ################################################################## # SETTINGS END ################################################################## /////////////////////////////////////////////////////// // do not change code below /////////////////////////////////////////////////////// // show usage example if(isset($_GET['help'])) < die('Include following code into every page you would like to protect, at the very beginning (first line):
<?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?>'); > // timeout in seconds $timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60); // logout? if(isset($_GET['logout'])) < setcookie("verify", '', $timeout, '/'); // clear password; header('Location: ' . LOGOUT_URL); exit(); >if(!function_exists('showLoginPasswordProtect')) < // show login form function showLoginPasswordProtect($error_msg) < ?> input
" data-bs-template=" ">http://www.zubrag.com/scripts/password-protect.php" title="Download Password Protector">Powered by Password Protect > // user provided password if (isset($_POST['access_password'])) < $login = isset($_POST['access_login']) ? $_POST['access_login'] : ''; $pass = $_POST['access_password']; if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION) || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) ) ) < showLoginPasswordProtect("Incorrect password."); >else < // set cookie if password was validated setcookie("verify", md5($login.'%'.$pass), $timeout, '/'); // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed // So need to clear password protector variables unset($_POST['access_login']); unset($_POST['access_password']); unset($_POST['Submit']); >> else < // check if password cookie is set if (!isset($_COOKIE['verify'])) < showLoginPasswordProtect(""); >// check if cookie is good $found = false; foreach($LOGIN_INFORMATION as $key=>$val) < $lp = (USE_USERNAME ? $key : '') .'%'.$val; if ($_COOKIE['verify'] == md5($lp)) < $found = true; // prolong timeout if (TIMEOUT_CHECK_ACTIVITY) < setcookie("verify", md5($lp), $timeout, '/'); >break; > > if (!$found) < showLoginPasswordProtect(""); >> ?>README
PHP ACL (Access Control List) is a service that allows you to protect/enable functionality based on the current user’s assigned role(s), and those role(s) permissions (abilities). So, if the current user has a «moderator» role, and a moderator can «ban_users», then the current user can «ban_users».
Documentation
MikeMcLin\Acl|Acl methods
resume()
Restore data from storage.
Returns
boolean — true if web storage existed, false if it didn’t
attachRole(role)
Attach a role to the current user. A user can have multiple roles.
Parameters
detachRole(role)
Remove a role from the current user
Parameters
flushRoles()
Remove all roles from current user
hasRole(role)
Check if the current user has role attached
Returns
setAbilities(abilities)
Set the abilities object (overwriting previous abilities).
Parameters
| Param | Type | Details |
|---|---|---|
| abilities | object | Each property on the abilities object should be a role. Each role should have a value of an array. The array should contain a list of all of the role’s abilities. |
Example
var abilities = (object)[ guest: ['login'], user: ['logout', 'view_content'], admin: ['logout', 'view_content', 'manage_content'] ] setAbilities(abilities);
addAbility(role, ability)
Parameters
| Param | Type | Example | Details |
|---|---|---|---|
| role | string | «admin» | The role label |
| ability | string | «create_users» | The ability/permission label |
can(ability)
Does current user have permission to do the given ability?
Returns
Example
// Setup some abilities $acl->addAbility('moderator', 'ban_users'); $acl->addAbility('admin', 'create_users'); // Add moderator role to the current user $acl->attachRole('moderator'); // Check if the current user has these permissions $acl->can('ban_users'); // returns true $acl->can('create_users'); // returns false
License
Angular ACL Copyright (c) 2015 Mike McLin
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the «Software»), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.