Password entry

[TheSponge]

I have a 2 nice scripts available for uploading images, to 2 of my php forums,

but I want one of the scripts to ask for a password, as soon as the password is entered, the script continues as normal,

I know its a php_self post command, but I cant quite get it, the password will be within the script itself.

any help as always appreciated.......

A+,Network +

 

[jpadie]

htaccess?

 

[TheSponge]

could you eleborate please.........

A+,Network +

 

[lgarner]

.htaccess is a way to have the browser handle authentication. Works with Apache.

I'd have the script check if $_POST['password'] is set. If so, validate it along with the username and any other variables and continue. If not, display the password form.

 

[vacunita]

Here is the thing, PHP is a server-side language, that means it can't directly interact with the client browser.

In a nutshell:
1. Browser Requests Page to server,
2. Server finds page, and sends it to be parsed by PHP interpreter.
3. PHP interpreter parses entire file,
4.PHP interpreter sends file back to server. At this point there is no more PHP going on it is all done.
5.Server serves file to browser.

So there is no way for PHP to generate a Password request form in the middle of a script.

What you can do, is have a Password Form before the upload, and send it to the server, if the password matches correctly then you can proceed with the upload. Otherwise send the page back to browser without uplaoding anything.

As an Example:
UploadScript.php

<html>
...
<form name=submitform...>
...
<?
if(Form is submitted)
{
 if (submittedpassword==storedpassword){
do upload code here.
}
else {
echo "password incorrect try again";
}

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[TheSponge]

thats exactly what I needed

the php will not parse untill a password is entered,

can you elaborate a bit more on the code please?

the password will be a constant anyway, within the script

thanks a million for replying...

A+,Network +

 

[vacunita]

Not much more to elaborate...

...
<form name=submitform method=POST>
[green]<input type=text name="pwd_field">
<input type=submit name=sent value="Send Password">
[/green]
<?
[blue]check that form has been submitted[/blue]
if(isset($_POST[sent]))
{
[blue]check that subitted password matches stored password[/blue]
if ($_POST['pwd_field']==$storedpasssword){
[red]Upload code goes here[/red]
}
else {
echo "Password incorrect try again";
}

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[Olavxxx]

the password will be a constant anyway, within the script

This is as secure as using tape to lock your doors.
If you do this, people can remote-submit on your forms.

What you need is a "enter text as seen on image" script.

A long time ago, I wrote an article (with code!), which might help you:

http://www.evolt.org/securing_forms_random_image

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[TheSponge]

thanks everyone, cant seem to get it too work,

but Ill keep trying

A+,Network +

 

[vacunita]

thanks everyone, cant seem to get it too work,

If you need more help, don't hesitate to post back.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[TheSponge]

well there are errors in the script and I dont know how to fix,

this is a copy of the working script, I just want to add a password to the page.

<?php 


// Create the main upload function 
function do_upload() { 
     
    // Create an array containing all valid upload file types for this script 

    $allowed_types = array( 
        "image/gif" => "gif", 
        "image/pjpeg" => "jpg", 
	  "image/jpg" => "jpg",
        "image/jpeg" => "jpg",
        // Add more types here if you like 
        

    ); 
     
    // Check to see if the file type is in the allowed types array 
    if(!array_key_exists($_FILES['userfile']['type'], $allowed_types)) { 
        die("Invalid file type."); 
    } 
     
    // Set the maximum uploadable file size => 512000 = 500kb 
    $maxfilesize = 512000; 
     
    // Is the file larger than it is allowed to be? 
    if($_FILES['userfile']['size'] > $maxfilesize) { 
        die("File too large"); 
    } 
     
    // Where will the file be uploaded to? 
    $uploaddir = $_SERVER['DOCUMENT_ROOT'] . "/may/"; 
     
    // What is the files temporary name? 
    $file = $_FILES['userfile']['tmp_name']; 
     
    // What is the files actual name? 
    $filename = $_FILES['userfile']['name']; 
         
    // Does this file already exist on the server? 
    if(file_exists($uploaddir . $filename)) 
	
	{ 
        //die("A file with that name already exists on this server."); 
		die("File already existed, [img]http://www.mysite.net/may/" . $filename ."[/img]"); 

	 
    } else { 
        // This file does not already exist, so copy it. 
        copy($file, $uploaddir.$filename) or die("Could not copy file."); 
    } 
     
    // All done! :-) 
    echo "Upload successful";
    echo "<br />";
    echo "<br />";
    echo "Copy and Paste the following Code";
    echo "<br/>";
    echo "<font color=green><b>";
    echo "<br />";
    echo "[img]http://www.mysite.net/may/";
    echo $filename;
    echo "[/img]";
    echo "<br/>";
    echo "<br/>";
    echo '<img src="may/'.$filename.'">';
    echo "<br />";
    echo "<br />";
    echo "</font>";

    } 









?> 
<html> 
    <head> 
<link href="sponge.css" rel="stylesheet" type="text/css">
        <title>mysite Image Upload</title> 
    </head>
    <body bgcolor="#dddddd"> 
    <center>
    <img src="images/weblogo.gif">
<table border="0"><tr><td class="cellhead">mysite Image uploader 2006, Please dont abuse..</td></tr>
<tr><td class="cellcontent2"><br /><br />Webmasters, this site is hotlinked, this uploader is for mysite forum members only, the links will not work elsewhere.</td></tr></table>
        <form method="post" enctype="multipart/form-data"> 
            <input type="hidden" name="action" value="do_upload"> 
            <input type="file" name="userfile"><br /> 
            <input type="submit" name="submit" value="Upload Image"> 
        </form> 
    </body> 
</html> 
<?php 
// If the form has been completed, execute the upload function (above). 
if($_POST['action'] == "do_upload") { 
    do_upload(); 
} 
?>

Thanks guys

A+,Network +

 

[Olavxxx]

<?php
/* Session must always start at the very top of the php file! */
session_start();
include "header.php";

if (empty($_POST['key'])) {
$_POST['key'] = "hahahaah";
}


// if the key is wrong, or not excistant
if ($_SESSION['key'] != $_POST['key'] || (!($_SESSION['key']))) {
  $_SESSION['key'] = substr(md5(time()), 0, 6); // make a key
/* Make a form for inputing the key*/
  echo "<h1>Sign our guestbook!</h1>
  <form action=\"\" method=\"post\">
  <img src=\"img.jpg\" /><br />
   Enter code - As seen above.<br />
  <input type=\"text\" name=\"key\" />
  <input type=\"submit\" name=\"submit\" value=\"submit\" />
  </form>";
  }
else { // if key is set and input is correct
// process the page
// #############

if (isset($submit)) { // if user submitted the form
  if ($submit == "logout") { // if user wants to logout
      unset($_SESSION['key']); // unset the key
    }
	if (([b]$somevar== "somevalue"[/b]) && ($_SESSION['key'] == $_POST['key']))
	{

Then your page

}
}
?>

Then, img.jpg:

<?php
// once again, start the session at the very top!
session_start();

/* if there is a key */
if ($_SESSION['key']) {
/* define that the browser should treat
  the output of this file as an image */
  header("Content-type: image/png");

  // set the string to the key
  $string = $_SESSION['key'];

  // create an temporary image from a PNG file
  $im    = imagecreatefrompng("bg.png");

  // get a color from the image (in this case, yellow)
  $orange = imagecolorallocate($im, 220, 210, 60);

  /* Now we need to get widh and height of the image, so that we can center the
  key on the image, so that it does not go outside of the borders or look strange */
  $px    = (imagesx($im) - 7.5 * strlen($string)) / 2;
  $h = (imagesy($im) - 7.5) / 2;

  // here we write the key (the string)  on the image
  imagestring($im, 3, $px, $h, $string, $orange);

  // now create the final image
  imagepng($im);

  // to free up results, we need to destroy the temporary image.
  imagedestroy($im);
  }
?> 
[/img]

.htaccess:
[code]
<Files img.jpg>
        ForceType application/x-httpd-php
</Files>

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Olavxxx]

oops. the .htaccess should be in it's own block, but I guess you understand.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[TheSponge]

WoW thankyou

Ill go through this...and yes I understand the htaccess

A+,Network +

 

[Olavxxx]

yes, I use this to prevent spambots spamming my guestbook..
I had a great deal problems with it, untill I implemented this..

I know it's not really hacker safe, but, hey, it's only for a small guestbook, it's not like I use it for a bank-service or whatever.. it's not really that big issue if the spammer can spam 1 of 1000 times, as then I'll just delete that one spam..

(remote spamming, by spambots!)...
eg. I would sometimes get like 30-40 spam entries per day, in the small guestbook, so it drowned the guests in spam.

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Olavxxx]

ps 2:
I would generate a random number, if the file is_file(), then append that number to the end of the file.. (loop while is_file(), to generate a unique name.

also remember to strip the name of funny characters, remove spaces, etc. eg. only accept 0-1, a-z, A-Z, -, _ and nothing else. Also check mimetype of files, as I could (like in the htaccess) upload a script in a jpg file..

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster