1

I want to protect some content in my site with a password and I am thinking in using this php script

Do you think is a good way to go?

Do you know something better for this task or a way to improve ( if needed) thin one ?

The code to load the content from the database is :

<?php


error_reporting(0);
include("config.php");


if (!isset($_REQUEST["p"])) {

    echo 'document.write("<div id=\"protected_'.intval($_REQUEST["id"]).'\">");';
    echo 'document.write("<form onsubmit=\'return LoadContent(\"'.intval($_REQUEST["id"]).'\",\"protected_'.intval($_REQUEST["id"]).'\",document.getElementById(\"pass_'.intval($_REQUEST["id"]).'\").value); return false;\'\"><input type=\'password\' size=\'30\' placeholder=\'Content is protected! Enter password.\' id=\"pass_'.intval($_REQUEST["id"]).'\"></form>");';
    echo 'document.write("</div>");';

} else {

    $sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE `id`='".intval($_REQUEST["id"])."' AND password='".mysql_real_escape_string($_REQUEST["p"])."'";
    $sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);

    if (mysql_num_rows($sql_result)==1) {
        $row = mysql_fetch_assoc($sql_result);
        echo $row["content"];
    } else {
        echo 'Wrong password';  
    }

}

?>
Alexis
  • 23
  • 3
  • You want to do it at the PHP level? You could do it with htaccess pretty easily (if using apache). https://davidwalsh.name/password-protect-directory-using-htaccess I'm not creating an account on that site to see what the code is, if it is using `mysql_*` functions it is not secure. If it is passing user data direct to a query it is not secure. There are many ways to do deny access though. – chris85 Oct 08 '16 at 16:24
  • 1
    So you want us to download that package to see what's in it and run it? I for one won't be doing that; paste your code in the question. – Funk Forty Niner Oct 08 '16 at 16:29
  • Hi, the code store in a database an id, the html content and the password, the problem I see , I am a newbie in php and database, is the the script store the password as plain text in the database – Alexis Oct 08 '16 at 16:35
  • As suspected it is using `mysql_*` so no, it is not secure. If using PHP 7 it wont even run. – chris85 Oct 08 '16 at 16:41
  • Thanks, do you know some similar script that could be more or less right ? – Alexis Oct 08 '16 at 16:48
  • I wouldn't waste my time with that script if I were you. I'd use a prepared statement with `password_hash()`; you can call this an "answer" in its own right ;-) – Funk Forty Niner Oct 08 '16 at 16:58

1 Answers1

2

As I said in comments, you shouldn't be spending anymore time with what you downloaded since it's old and not safe.

You may be saving passwords in plain text which is definitely not a good idea.

  • It's time to step into the 21st century.

The mysql_ API is in deprecation and has been deleted from PHP 7.0 entirely.

You are best to use a prepared statement and password_hash() or the compatibility pack.

Here are a few references:

N.B. The use of mysql_real_escape_string() does not fully guarantee protection against a possible SQL injection.

Consult the following Q&A on the subject:

Here is a piece of code pulled from one or ircmaxell's answers which uses a (PDO) prepared statement and password_hash().

Pulled from: https://stackoverflow.com/a/29778421/1415724

Just use a library. Seriously. They exist for a reason.

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • why was this downvoted? I don't see the point here. I won't be deleting it neither. Up until you the downvoter can explain why you did. – Funk Forty Niner Oct 08 '16 at 18:13
  • clearly the downvoter doesn't want to say anything and needs to back it up with a comment about it because the answer does "answer" the question. If you're not going to bother, then post your own answer. – Funk Forty Niner Oct 08 '16 at 18:45
  • 1
    Here, I will pretend to be the downvoter: *I am jealous of your gray matter between your ears. Why was I born with my inept one?* . Ok, done pretending: http://i.imgur.com/qF8BKHm.jpg – Drew Oct 08 '16 at 18:54
  • @Drew TBH, I'd expect a downvote with a wrong answer/bad-wrong syntax, but in this case there wasn't; it answered the question. If they did that because I pulled some code from ircmaxell's answer which I do on some occasions, then at the very least say so. I thought it was fine far as I'm concerned and couldn't have voted to close the question as a dupe for it. They're probably shaking in the boots because they'd think I'd badmouth them or something; I guess they know how I can be, but that's beside the point; I'm not that hard to "speak with" and to discuss it. They want to be ignorant; fine. – Funk Forty Niner Oct 08 '16 at 19:10