Creating A Password Protected Page

[Dees]

I am a complete noob at PHP. I literaly just picked up a book on it at Barnes and Noble today. I was hoping to learn how to create a page with a form on it that will ask for a password. I have the general concept of what I need to do in my head but I cannot get it to work. I need to create the form which works, but then I need to create and if statement asking for the correct input and if it is correct link to a different page and if not link to an error page. This is where I am having trouble. I am using Dreamweaver 8, Mac OS X 10.4 and i believe PHP 4 (whatever came pre-loaded on my Mac) Thanks very much.

[justsomeguy]

PHP doesn't have anything to do with creating the form, that's just normal HTML. PHP processes the form, HMTL displays the form. About the easiest possible PHP script to check for a password would look something like this:

<?php$password = $_POST['password'];if ($password == "the correct password")  header("Location: goodjob.php");else  header("Location: badjob.php");?>

That will check the post variable "password" against a hard-coded string ("the correct password"), and redirect if it does or does not match. You can make this a lot more complex, for example they could also enter a user name and then you would check with a database to see if the username and password match with what is in the database. But that is a pretty basic script. If you want to learn more about form processing with PHP and how PHP works, take a little while to read through the intro tutorial at php.net. Start with this page:http://www.php.net/manual/en/introduction.php

[astralaaron]

This tutorial really helped me understand login / password alot more. ive just been building on what this tutorial shows:http://www.phpeasystep.com/phptu/6.html

[Dees]

PHP doesn't have anything to do with creating the form, that's just normal HTML. PHP processes the form, HMTL displays the form. About the easiest possible PHP script to check for a password would look something like this:

<?php$password = $_POST['password'];if ($password == "the correct password")  header("Location: goodjob.php");else  header("Location: badjob.php");?>

That will check the post variable "password" against a hard-coded string ("the correct password"), and redirect if it does or does not match. You can make this a lot more complex, for example they could also enter a user name and then you would check with a database to see if the username and password match with what is in the database. But that is a pretty basic script. If you want to learn more about form processing with PHP and how PHP works, take a little while to read through the intro tutorial at php.net. Start with this page:http://www.php.net/manual/en/introduction.php

That code is very helpful thanks. I was just wondering how the redirect to either a a dead page or to the page trying to be accessed works. Could you explain that a little bit further if possible. Thanks.

[Dees]

This tutorial really helped me understand login / password alot more. ive just been building on what this tutorial shows:http://www.phpeasystep.com/phptu/6.html

That link is very helpful for creating a password with users and individual passwords, and I hope to eventually work that into my site but for now I am just trying to create a single password for the entire site with no username and not having to go through a SQL database. Thanks anyway though.

[justsomeguy]

The redirect works by sending a location header to the browser. You are only allowed to send headers to the browser before you send any HTML, so this code (and any other code that sends headers) needs to be at the top of the page. If you send the <html> tags or anything else, you will not be allowed to send headers after that and the redirect will fail. So make sure that the redirect header gets sent before you output anything else, including HTML or whitespace or whatever.If you want to password-protect multiple pages, you will want to have the password check code on every page. The easiest way to do that is to put the code in an include file, and include that file on any page that you want protected. The code above will check the password on one page (the login page), but if they log in and then click on a link it won't find the password. To keep the password with the user, you will need to store the password in the session. In this case, since the session needs to use a cookie, you will want to use a meta redirect instead of the location header like above. So, the code on the login page to check if they typed in the right password would look like this:

<?phpsession_start(); // start the session$password = $_POST['password'];if ($password == "the correct password"){  $_SESSION['password'] = $password;  //save the password in the session  session_write_close();  echo "<html>";  echo "<head><title>Login successful</title>";  echo "<meta http-equiv=\"refresh\" content=\"1;url=user_menu.php\" />";  //redirect after 1 second; change the URL to point to your page  echo "</head><body>";  echo "<div style=\"text-align: center;\">You are now being redirected</div>";  echo "</body></html>";  exit();  //stop the script}else  header("Location: badjob.php"); //login failed?>

That code will check the password, store it in the session if it's good, and output the HTML to do the redirect. The reason we need to output HTML instead of sending a header is because we started the session. When you start the session, the server sends a cookie to the browser. Some browsers will see the location header like we were using and ignore the cookie, so that when you redirect the session will not be set. Outputting HTML and using a meta redirect will make sure the browser gets the cookie fine.This is the code that you can include on any other page to protect it:

<?phpsession_start();if (!isset($_SESSION['password']) || $_SESSION['password'] != "the correct password"){  header("Location: not_logged_in.php");  exit();}?>

This is how you include that code on another page:

<?phpinclude ("protect.php");  //whatever the file name is... rest of the page code?>

The code will redirect the user if they aren't logged in, so you can just include that file on any page and if they aren't logged in they will get sent to the login page.

[Dees]

The redirect works by sending a location header to the browser. You are only allowed to send headers to the browser before you send any HTML, so this code (and any other code that sends headers) needs to be at the top of the page. If you send the <html> tags or anything else, you will not be allowed to send headers after that and the redirect will fail. So make sure that the redirect header gets sent before you output anything else, including HTML or whitespace or whatever.If you want to password-protect multiple pages, you will want to have the password check code on every page. The easiest way to do that is to put the code in an include file, and include that file on any page that you want protected. The code above will check the password on one page (the login page), but if they log in and then click on a link it won't find the password. To keep the password with the user, you will need to store the password in the session. In this case, since the session needs to use a cookie, you will want to use a meta redirect instead of the location header like above. So, the code on the login page to check if they typed in the right password would look like this:

<?phpsession_start(); // start the session$password = $_POST['password'];if ($password == "the correct password"){  $_SESSION['password'] = $password;  //save the password in the session  session_write_close();  echo "<html>";  echo "<head><title>Login successful</title>";  echo "<meta http-equiv=\"refresh\" content=\"1;url=user_menu.php\" />";  //redirect after 1 second; change the URL to point to your page  echo "</head><body>";  echo "<div style=\"text-align: center;\">You are now being redirected</div>";  echo "</body></html>";  exit();  //stop the script}else  header("Location: badjob.php"); //login failed?>

That code will check the password, store it in the session if it's good, and output the HTML to do the redirect. The reason we need to output HTML instead of sending a header is because we started the session. When you start the session, the server sends a cookie to the browser. Some browsers will see the location header like we were using and ignore the cookie, so that when you redirect the session will not be set. Outputting HTML and using a meta redirect will make sure the browser gets the cookie fine.This is the code that you can include on any other page to protect it:

<?phpsession_start();if (!isset($_SESSION['password']) || $_SESSION['password'] != "the correct password"){  header("Location: not_logged_in.php");  exit();}?>

This is how you include that code on another page:

<?phpinclude ("protect.php");  //whatever the file name is... rest of the page code?>

The code will redirect the user if they aren't logged in, so you can just include that file on any page and if they aren't logged in they will get sent to the login page.

Thank you very much. That response was very extensive and helpful. I was just wondering where do you put that code if it has to come before the header. In the <head>? Also where did you become so knowledged on PHP because if it was a book I would love to know the title. Thanks.

[justsomeguy]

Any code that sends headers needs to go before all HTML. The page would be set up like this:

<?php// all the php code, redirects or whatever?><html>...</html>

I have a degree in computer science and I've got a fair amount of experience using PHP, so that's probably where most of it comes from. If you want a good book, I would recommend this one:http://www.oreilly.com/catalog/progphp2/

[Dees]

My question was just that I was wondering if it went in the <head> or before it/after it? Thanks again.

[smiles]

<?php...?><head></head><html></html>

I use it for easy looking

[justsomeguy]

I don't know what you mean, but that code is not valid in anything.