On 14/03/13 10:11, Cal Dershowitz wrote:
> Q1) How do I design a website where the binaries aren't there for the
> taking unless php thinks you have done some act of authentication to see
> them?
>
Two standard ways.
1/. put them all in different directories and pop a .htaccess and
password file in each one so that APACHE denies access without a login.
This is pure Apache and nothing to do with PHP at all. If apache is
coinfigured to respect this method teh general form is
..htaccess
==========
AuthType Basic
AuthName "My Private Picture access"
AuthUserFile /var/www.mysite.com/this_directory/.htpasswd
Require valid-user
That tells apache to deny unauthorised access, and look in
/var/www.mysite.com/this_directory/.htpasswd
for name:password pairs.
..htpasswd
==========
rufus:OMtQ1VFqr!2dY
This contains a user name and a hashed password and is created using teh
htpasswd utility that comes with apache.
http://httpd.apache.org/docs/2.2/programs/htpasswd.html
If you have access to the total apache installation, this is trivial,
less so if you are merely uploading files to someone else's
2/. use cookies (sessions) in (php) via a login page: That essentially
sets a php variable to reflect the users session. So you if the user
attempts to access the page, and he is not logged in, the php should
present him with a login page, and name and password (are filled in and
submitted to the same page, these are then used to set the cookie, and
all subsequent invocation's of that page with the cookie set will allow
access to the directory via the PHP script.
You set and read cookies either using sessions, or doirectly
e.g.
$_COOKIE["K9PA70634H"]=$cookie;
Cookies are an array of name=>value pairs in PHP global space.
"K9PA70634H" is just an arbitrary string.
AS is what's in $cookie...in my application every time a user logs in I
look in a database to see if he has the right password, and if he has,
generate a random cookie and store that in the database. If he comes
back with the cookie still set, then that's a match and access is
seamless. If the cookie has timed out or its different from that in the
database, he gets to login again.
i.e. a not especially relevant code snippet..user may have set name and
password in $_POST['name'] and $_POST['password']: $_POST['persistent']
i sset if he wants to stay logged in forever..
$result=mysql_query(sprintf("select id, password, email from people
where familiar='%s'",$_POST['name']));
if( $result && mysql_numrows($result)>0) // user at least exists
{
if($_POST['password'] != mysql_result($result,0,'password'))
{
$error="Incorrect password";
$email=mysql_result($result,0,'email');
display_login($error);
}
else // by golly we have a match!
{
if(!isset($_POST['persistent']))
$_POST['persistent']='no';
$id=mysql_result($result,0,'id');
// generate a cookie and store it and echo it back to the users browser.
$cookie=randomstring(10);
mysql_query(sprintf("update people set cookie='%s', timeout='%s'
where id = '%d'",$cookie, $_POST['persistent'],$id));
// pretend we already HAVE a valid cookie from the browser..so that
when getlogname is called it all 'works' and a new cookie will get issued
$_COOKIE["K9PA70634H"]=$cookie;
display_success();
}
}
else
{
$error="No such name is registered";
display_login($error,$email);
}
}
So that's how the name password gets stuck in the DB and a cookie is
attached.
This function checks the cookie is valid, and CHANGES IT EVERY TIME THE
USER READS A PAGE.
Additional security so that even if - say some hacker knows what the
cookie was last time, it wont work if the user has accessed the page again
function getlogname()
{
global $logname; // system wide for the duration
$id=0; // set default of not found
if(isset($_COOKIE["K9PA70634H"]))
{
$cookie=$_COOKIE["K9PA70634H"];
if(strlen($cookie)>8)
{
$query=sprintf("select id , familiar, timeout from people where
cookie ='%s'",$cookie);
$result=mysql_query($query);
if ($result && mysql_num_rows($result)==1)
{
$id=mysql_result($result,0, 'id');
$logname=mysql_result($result,0, 'familiar');
$persistent=mysql_result($result,0, 'timeout');
$cookie=randomstring(10); // generate new cookie so stolen cookies
wont work..this also means using a new machine will wipe out stored cookies
if($persistent=='yes')
setcookie("K9PA70634H",$cookie,time() + (86400 * 365)); // give em
a year before it expires.
else
setcookie("K9PA70634H",$cookie); // issue session only cookie
// now update access time and ip address
$query=sprintf("update people set last_ip='%s',cookie='%s',
last_accessed='%s' where id='%d'",$ipaddr=$_SERVER['REMOTE_ADDR']
,$cookie, date("Y-m-d H:i:s"), $id);
mysql_query($query);
}
}
}
return $id;
}
Getlogname in my case is called every page that has access to 'sensitive
data' and checks that either the cookie is set, or invites the user to
log in before proceeding.
If you went that sort of route you would probably hold a set of
directories or pictures that user was allowed to access in the database.
Going the PHP route and using cookies and or databases is probably the
slicker neater and vastly more complex way to do what the .htaccess
files will do anyway.
> Q2) What's a good first book for php?
PHP is so much a stock procedural language with a bolt on OO part that
its hardly worth having a 'first' book in PHP. Essentially if you have
programmed in anything else, PHP is pretty much like C or Pascal in
terms of its structure. The differences are subtle, in the (lack of)
typing and in what libraries are available, and here the online manual
is the best resource of all, especially user contributed solutions and
issues.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
|
Calendar
Search
Help
Members
Register
Login
Home
]