How to require a form filled out correctly to access data?

Question

Ok so I searched and could not seem to find anything that I am looking for exactly.

Background on what I am trying to accomplish: I have a website that will require no log in information as it is a confidential website and I don't want anything posted linked to any ONE account. So the way I am planning on this working is whenever someone creates a post you must fill out a form for example... Title - Information - Passphrase (simple word) - Passcode (5 digits from 10000 - 99999).

Now the reason for the possibility of accessing later is so they can edit or delete the post after the fact of creating without linking a account to identify them as stated above.

I have the simple following code to edit the code but how would I make it where say (passPhrase and passCode) have to match to pull up associated data? I will have a form before I access the edit page to type in correct info.

FORM TO REACH EDIT PAGE

<div id="form-holder">
        <form action="function/example.php" method="post"> 
            <h3>Pass ID:</h3>
            <input type="text" name="ID" id="ID">
            <h3>Passcode:<br /></h3>
            <input type="text" name="passcode" id="passcode">
            <p><input class="button" type="submit" value="Edit"></p>
        </form>
    </div>

EDIT PAGE:

<?php
$server = "*****";
$user = "*****";
$pass = "*****";
$dbname = "*****";

//Creating connection for mysqli

$conn = new mysqli($server, $user, $pass, $dbname);

//Checking connection

if($conn->connect_error){
 die("Connection failed:" . $conn->connect_error);
}

$article_id = $_GET['id'];

if( ! is_numeric($article_id) )
  die("Looks like you are lost!  <a href='#'>Back to Home</a> ");

$query = "SELECT * FROM `DBname` WHERE `ID` =$article_id LIMIT 0 , 30";

$comments = mysqli_query($conn,$query);

while($row = mysqli_fetch_array($comments, MYSQL_ASSOC))
{

    $title = $titleHere['title'];
    $info = $infoHere['info'];

    $title = htmlspecialchars($row['title'],ENT_QUOTES);
    $info = htmlspecialchars($row['info'],ENT_QUOTES);

echo "<form action='function/update-post.php?id=$article_id' method='post'>";
echo "<h3>Title:</h3>";
echo "<input type='text' name='title' id='title' value='$title'>";
echo "<h3>info:</h3>";
echo "<textarea name='info' id='info'>$info</textarea>";
echo "<p><input class='button' type='submit' value='Update'></p>";  
echo "</form>";
}
?>

I found many guides on account based solutions I guess this is what makes this request different is the fact that there are no accounts. And the user really does not have the ability of knowing the Key ID of the post.

Any help would be appreciated and hopefully others will benefit from this.

Answer 1

you use a database for the login and store the user and password. I would go a little further and encrypt the password in the db, then at sign in time encrypt the password. then use a count statement to see if there is a row that has the hash style password with the user name. best methods to use is pdo with prepared statements, oh and turn off error reporting in php so it doesn't output in the browser, just the log file should be recording the error. for confidentiality, you just don't have that info in their table. The last task you will have to do is set up a cron job to clear the website access log. This is where IP addresses are logged.

also I would change your form to all post type so the edit process can not be booked marked and open for attack. so I would remove the id out of the url and bring it into the form like so:

   echo '<input type="hidden" name="id" value="'.$article_id.'" >';

also you should sanitize the user's post varibles in the fallowing php page like :

         $var1=htmlentities($_POST['var1'], ENT_QUOTES);