Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Get value from external PHP file

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Get value from external PHP file

Postby Timesoda » Tue May 24, 2011 9:18 pm

Edit: Skip down to the bottom to read the new problem; this one has been fixed.

I'm trying to create a preliminary login that requires anyone attempting to access the next page to put in a password. Initally I just had 'var pass = blah;' in my HTML, but I remembered that if someone just viewed the page source, they could see that password and access the page.
As far as I could tell, the simplest way for me to do this without anyone being able to see the password in the source is to have my password stored in an external php file as a variable.
I googled far and wide, but nothing quite like what I was trying to do (without using a my_sql or a whole lot of code) came up.

Is what I'm asking even possible? Surely it is, just maybe not exactly the way I was hoping to do it.

In order to more clearly explain how I want this to work:

User visits /upload.html and receives a text box that prompts for the password.
The password is entered, if incorrect, the text on the page says that it's incorrect, and has a refresh button to try again. If the password is correct, it moves on to the next php file with a passed variable that's hidden from the URL.

I have already gotten the prompt, refresh button, and the like programmed as a base, but I have no idea how to grab a value from an external php, save it as a variable in the primary php, then pass it on to another php without "?myvar=value" in the URL.

Here is what I have so far (unfortunately still with the password in the HTML and passing the vairable in the URL of the next php, which is what I don't want):
Code: Select all
<p id="WaitText">Waiting...</p>
<form><input type=button value="Try Again" name="refreshbtn" onClick="window.location.reload()"></form>

<script>
var s1 = document.getElementsByName("refreshbtn").item(0);
s1.style.visibility="hidden";
</script>

<HEAD>

<script type="text/javascript">

function showrefresh()
{
   var s1 = document.getElementsByName("refreshbtn").item(0);
   s1.style.visibility="visible";
}

var pass = "blah";

password=prompt("Please enter your password:","");

if (password==pass) {
window.location= "upload_file.php?pass=blah"; // file to open if password is correct
} else {
WaitText.innerHTML="Wrong password!";
showrefresh();
}

</script>


Any help or redirecting would be greatly appreciated.
Last edited by Timesoda on Wed May 25, 2011 11:07 am, edited 2 times in total.
Timesoda
New php-forum User
New php-forum User
 
Posts: 7
Joined: Tue May 24, 2011 9:05 pm

Re: Get value from external PHP file

Postby Timesoda » Wed May 25, 2011 2:35 am

Update:

I've figured a way to pass my variable silently, however, I can't get it to pass from php to JavaScript.
I'm using the same exact code as everyone else on the internet to do this simple thing, but for some reason it isn't working.

Even simply this doesn't work:
Code: Select all
<?php
   session_start();
   $pass = $_SESSION['pass']; //Retreives the value from my other php file
?>

<script language="javascript" type="text/javascript">
      var pass = <?php echo $pass; ?>; //Passes the variable from php to the javascript bit
      document.write(pass); //test prints it on the page
</script>


If I put this underneath the $pass initialization code inside of the php code, it prints the correct password, so I know it's retrieving the value correctly:

Code: Select all
echo $pass;


It doesn't seem to like the code bit:
Code: Select all
var pass = <?php echo $pass; ?>;

I've checked it many times, and the syntax should be fine. I've tried naming them myVar or myJSObject like tutorials say, but no matter what I do, the value does not get passed.
If I change the second line of code to:
Code: Select all
document.write("test line");

but leave the first line as-is, it skips the whole code as if it's bad.

But if I remove the first line and have the second one print the test line, it works.

Here is the tutorial code, which, when used, works as it should:
Code: Select all
<?php   $myvar=10;   ?>

<script type="text/javascript">
   jsvar = <?php echo $myvar; ?>;
   document.write(jsvar);  // test to see if its prints 10:
</script>


Edit: I finally seemed to narrow it down. I can leave my code almost the way it is, except if I use any value for $pass that isn't a number, it won't work. However, other tutorials are able to use non-numerical variables...
Timesoda
New php-forum User
New php-forum User
 
Posts: 7
Joined: Tue May 24, 2011 9:05 pm

Re: Get value from external PHP file

Postby johnj » Wed May 25, 2011 8:06 am

passwords are usually stored in a table/database.
johnj
php-forum Super User
php-forum Super User
 
Posts: 1805
Joined: Thu Mar 10, 2011 5:07 pm

Re: Get value from external PHP file

Postby Timesoda » Wed May 25, 2011 9:04 am

There's only one password to access this, so I was hoping I could just hard code it somewhere.
I have no idea how to set it up in My_Sql, but if it's the only way, I'd be willing to learn.
Though I would much prefer to hard code it.

My problem now is just trying to hide the password from the source code.
I just want a hidden variable that can be compared to user input, and if it's a ceratin value, do the rest of the code.
Timesoda
New php-forum User
New php-forum User
 
Posts: 7
Joined: Tue May 24, 2011 9:05 pm

Re: Get value from external PHP file

Postby johnj » Wed May 25, 2011 10:28 am

You can use sessions
Code: Select all
if (!($_SESSION)) {
    
session_start();
}
$_SESSION['myPassword'] = 'somepassword';
 


Whenever you need to access the password, on any page,use
Code: Select all
if (!($_SESSION)) {
    
session_start();
}
$someVariable $_SESSION['myPassword'];
 
johnj
php-forum Super User
php-forum Super User
 
Posts: 1805
Joined: Thu Mar 10, 2011 5:07 pm

Re: Get value from external PHP file

Postby johnj » Wed May 25, 2011 10:29 am

BUT, I will still recommend the use of a table, even if it is just one password.
johnj
php-forum Super User
php-forum Super User
 
Posts: 1805
Joined: Thu Mar 10, 2011 5:07 pm

Re: Get value from external PHP file

Postby Timesoda » Wed May 25, 2011 10:36 am

Thanks, I got it.
Timesoda
New php-forum User
New php-forum User
 
Posts: 7
Joined: Tue May 24, 2011 9:05 pm


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 0 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron