A
Anonymous
Guest
So I am attempting to create a very simple password only login page to navigate to secure PHP file (admin.php). When I mean simple it does not require a username and does not use a database in any way. It is of course as secure as the password you create. Currently my main protection is PHP itself as it does not render to the browser and unless the server breaks and treats a PHP file as an ASCII file I am under the impression that PHP is fairly safe because of this. Please correct me if I am wrong as I am new to the security proofing side of PHP. Below is an example and flow chart of the process I am thinking about. The password is stored in a PHP variable and is never transferred to the client side. Also the admin.php file has a variable set check so it could not be browsed to directly. Please poke as many holes as you want as I am learning and anything you can teach would be appreciated.
LOGIN.PHP FILE
SETTINGS.PHP FILE
ADMIN.PHP
LOGIN.PHP FILE
Code:
<!DOCTYPE html>
<?php
/*This file conatins the password.
The reason it is in a different files is because
this file will hold all settings (PHP variables)
for storing saved settings. No client side code. */
include('settings.php');
?>
<HTML>
<HEAD>
<script type='text/javascript'>
function openWindowWithPost(url, params, newWin){
//Changes page URL with POST parameters
var form = document.createElement('form');
form.setAttribute('method', "post");
form.setAttribute('action', url);
form.setAttribute('target', '_self');
for (var i in params){
if (params.hasOwnProperty(i)){
var input = document.createElement('input');
input.type = 'hidden';
input.name = i;
input.value = params[i];
form.appendChild(input);
if (newWin != undefined){
form.target = '_blank';
}
}
}
document.body.appendChild(form);
form.submit();
}
function login(){
//Reloads the page with the POST parameter "letmein" set as password
var params = {};
params['letmein'] = document.getElementById('pswd').value;
openWindowWithPost('Login.php', params);
}
</script>
</HEAD>
<BODY>
<?php
if (@$_POST['letmein'] != $securityWord){
//No password or invalid password
if (@$_POST['letmein'] != ''){
//If password was invalid
echo "<script type='text/javascript'>alert('Incorrect password');</script>".PHP_EOL;
}
?>
Password:
<input type='password' id='pswd' />
<button onclick='login();'>LOGIN</button>
<?php
} else {
//Password was correct. Include page that is secure.
include ('admin.php');
}
?>
</BODY>
</HTML>
SETTINGS.PHP FILE
Code:
<?php
$securityWord = 'password';
/*This page would contain more settings but
for this example I am keeping it as basic as
possible. */
?>
ADMIN.PHP
Code:
<?php
if (!isset($securityWord)){die('This is a secure site. Please use the login file (Login.php).');}
?>
You made it to the secure page!!!