0

Okey guys , i try to secure page with access code ,but page is not secrued if some people write in url pagename.php page is loading without checked my code is. Code is work after put correct access code redirect to my page but , page is not secured client visit page without code after write in url my page .....

 <?php
include ('modules/conf.php');
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
 $secretcode = mysqli_real_escape_string($db,$_POST['secretcode']);
 $sql = "SELECT * FROM password WHERE password = '$secretcode'";
      $result = mysqli_query($db,$sql);
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      $active = $row['active'];
      $count = mysqli_num_rows($result);
      if($count == 1) {
         $_SESSION['login_user'] = $secretcode;
           session_start();
         header("location: question.php");
      }else {
        echo '<script type="text/javascript">';
    echo 'setTimeout(function () { swal("", "Съжеляваме вашият код е невалиден");';
    echo '}, 1000);</script>';
      }
   }
?>
    <div class="section">
        <div class="container-fluid gamebox">
          <div class="row">
          <div class="col-md-6">
            <div class="secretcode">
             <h1 class="text-center">въведете код от брошурата</h1>
             <form action="" method="post" class="formsecretcode text-center">
 <input type="secretcode" id="codeverify" name="secretcode" placeholder="въведете вашият код">
 <input type="submit" class="buttonsubmit" name="submit" value="провери код">
</form>

            </div>
          </div>
r00t3r
  • 25
  • 4
  • Sidenote: you don't need to use `session_start();` twice and that may trigger that the session was already started. – Funk Forty Niner Mar 08 '16 at 15:15
  • You're showing us the secret code page but not the page that's supposed to be secure (question.php). On that page, you have to check that your `$_SESSION['login_user']` is defined, and redirect if not – WheatBeak Mar 08 '16 at 15:17
  • 1
    **A:** Simple. Check to see if the session is set *(with an optional "`if { equal to something }`")*, and if not, `else { kick them out }`. Also best to add `exit;` after header, otherwise your code may want to continue executing. – Funk Forty Niner Mar 08 '16 at 15:18

1 Answers1

2

As I stated in comments and seeing that nobody posted an answer so far, am submitting the following.

Check to see if the session is set (with an optional "if { equal to something }"), and if not, else { kick them out }.

The logic is, and to be part of every page using sessions that you wish to protect and assuming $secretcode equals 12345 as an example:

<?php 

session_start();

if (isset($_SESSION['login_user']) && $_SESSION['login_user'] == '12345'){

   // Do something

}

else {

   // Do something else

}

It's also best to add exit; after header, otherwise your code may want to continue executing.

Reference:

Footnotes:

You don't need to use session_start(); twice as that may trigger that the session was already started.

  • Use it once and at the "top" of every page, while making sure you're not outputting before header.

References:

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Then the rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Additional notes:

You could optionally check for both a username and secret word in the query which makes it a bit more unique.

$username = "Johnny B. Good";

$sql = "SELECT * FROM password 
        WHERE username = '$username' 
        AND password = '$secretcode'";

Unless you're only checking for a secret code only, then leave your query the way it is now.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141