FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


PHP Login Sessions & Security with Frihost





oly0015
I'm not exactly sure if this should go in a different area but here I go Smile

I'm testing on a wamp server right now so I can do local testing and was wondering a bit about security when I upload my site to Frihost. I've got the login setup on all the pages to load in the header then to load in the rest of the page from another include based on permissions. Thats all working correctly but I am curious about the file access since I am using PHP with the server. Since PHP is a server side code can I set the files to pull only for the server to get proper security or is there a better method?
coreymanshack
oly0015 wrote:
I'm not exactly sure if this should go in a different area but here I go Smile

I'm testing on a wamp server right now so I can do local testing and was wondering a bit about security when I upload my site to Frihost. I've got the login setup on all the pages to load in the header then to load in the rest of the page from another include based on permissions. Thats all working correctly but I am curious about the file access since I am using PHP with the server. Since PHP is a server side code can I set the files to pull only for the server to get proper security or is there a better method?


I think you are talking about CHMOD 655?
jmraker
I think that you're thinking that once you upload it to frihost, the script will get stuff off of your wamp server? It won't do that unless you include a hostname in your linked files like
Code:
<?php
include "http://www.mywamp.net/site/header.inc.php";
?>
<a href="http://www.mywamp.net/site/go.html">
<img src="http://www.mywamp.net/site/img.gif">


where this doesn't have the hostname everywhere
Code:
<?php
include "header.inc.php";
?>
<a href="go.html">
<img src="img.gif">
oly0015
K, forget the wamp server entirely, I was just commenting I have not put the site up on Frihost yet so I am not familiar with what is possible with its hosting service.

What I was trying to explain is that I have a file that is setup to grab php and html code from includes. On the main php file i have it set to only get the data if the person's session is valid and they have enough level access. Now is there a way without making the include also check for the session but still not show up unless it is called by the main file?

It's just that I'm trying to find a better way then to have every included page call a function to check if the user is valid. I heard from someone that there is a trick with htaccess so you can block calls from anywhere but 127.0.0.1 but I'd assume Frihost does not support that. I'm still learning PHP and I am at least trying to get a bit of valid security built in before I host this online from here.

By the way if anyone could point me to a tutorial for blocking mysql code from text boxes that would be especially helpful at the moment.

Thanks for the help
jmraker
With the mysql thing, you should use the mysql_real_escape_string() function
http://us.php.net/manual/en/function.mysql-real-escape-string.php

With the login thing, What I do is when they login their mysql record is put in the session as $_SESSION['user'] = $record

Then on every page if the $_SESSION['user'] exists, they're logged in and it doesn't have to grab their record. If their record contains credit card info, it's removed at login, so it's not in the session file in case it's maliciously accessed

A php include() isn't normally a web server page request, so the contents of .htaccess wouldn't do anything.
oly0015
Thanks for the help on that, its kind of like what I made up from a book I borrowed last night, just a lot more simplified.

Just by chance is there a way to block html code based on php from this method? Such as below where the php filters code but there is also html code on the page. I could just save the code in mysql then spit it out as needed for the page with echo's under that php if but i'm just curious if there is a correct way to accomplish this method.

Code:

<?php
     if ($_Session['user_id'] != NULL)
     echo 'Welcome ' . $_Session['user_name'];
?>

<div name="blah">
     <p>text</p>
</div>
jmraker
Here's code that'll redirect to login.php if you're not logged in, and code that shows "logged in content" if you're logged in and "you're not logged in" if not logged in.
Code:
<?php
session_start();

if (!isset($_SESSION['user']))
  header("Location: login.php");
echo 'Welcome ' . $_SESSION['user']['user_name'];
?>

content


Code:
<?php
session_start();

if (isset($_SESSION['user'])){
  echo 'Welcome ' . $_SESSION['user']['user_name'];
?>

logged in content

<?php
}
else{
?>

you are not logged in

<?php } ?>
imagefree
Permissions???????
Well if you are asking about not allowing users to open merely included files, and go to the original page, for example:
following are disallowed:

Code:
/template/header.php
/template/footer.php
/template/common-sidebar.php
/template/common-elements.php
/template/tasks.pkp
/template/login.php
/template/register.php
/template/homepage.php


and following (you want to be the only) allowed files:

Code:
/index.php
/register.php
/login.php
etc


then its easy to protect the backend files. You can do this using .htaccess by disallowing access to the directory /template.

Another option is that use the following code on the top of every ublic file (for example index.php)

Code:
<?php
define('IS_INCLUDE' , true );
?>


and the following code at the top of every included file

Code:
<?php
if(!defined('IS_INCLUDE')){
header('/index.php');
die;
}
//or simply remove the header line above to make the script stop immediately.


Hope this is what you wanted.
Related topics
PHP Tutorials
Google Total - Much better than the real Google
So what's the history of your frihost names?
PHP Login Problem
PHP sessions and security
php sessions for different accounts
BLASTER = BONDINGS
AJAX tutorial [2nd part now updated]
PHP Security problems with latest frihost changes
Easy $Frih's!
Sessions & cookies - member no longer active question
Login system doesn't work
PHP Login-Script (With Sessions)
Php login
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.