PHP Page password protected

[BlowYourMind]

Hi everyone! I'm trying to get one of my pages password protected: It's a page where I upload my new photos for my portfolio.So to prevent anyone deleting or adding photo's, I want to password protect this page. I've followed a tutorial online (I think it's this one: http://www.wysiwygwebbuilder.com/password_protect.html) and my page IS protected by password and username, but when I try to delete a photo, or add one, I get an error that my password and username are incorrect. This is the site on which I'm working: http://imandra.woelmuis.nl/(It has only one page for normal viewers, containing all the content, shown by jQuery)With the settingsicon at the top right you can log on, and that's working properly. The page to which you are sent to when logging on:

<?php if($_POST["usern"] != "admin") {echo "Gebruikersnaam verkeerd ingevoerd!<br>";  }if($_POST["pass"] != "admin"){echo "Wachtwoord verkeerd ingevoerd!";}else { ?>  <?phpif (isset($_GET['delete'])){    unlink($_GET['delete']);    header('location:'.$_SERVER['PHP_SELF']);die;}include 'fotocat.php';ini_set ("display_errors", "1");error_reporting(E_ALL);if (isset($_POST['upload_submit']))//upload submit is de submit knop dus deze check kan anders en deze code ook op andere pagina indien je niet naar jezelf wil posten{    include 'core/class/image.php';//class met aantal image resize functies let op deze is niet zo geweldig maar mogelijk wel nuttig/te gebruiken/bewerken    $dir = 'uploads/foto/'.$_POST['cat'].'/';//maak hier ook maar van wat je wilt \\ voor windows / voor andere systemen met mappen vergeet niet de slash op het  einde    if (!is_dir($dir))	    mkdir($dir);    //afbeelding word zo verkleind dat de smalste kant (x of y) 50  px breed of hoog is, dan word van de lange kant het overtollige afgesneden zodat er 50x50 overblijft    $thumbX = 50;//thumb breedte    $thumbY = 50;//thumb hoogte    //dit zijn de grenzen van de te uploaden afbeelding, stel je hebt een afbeelding van 1200x600 word deze 800x400 na uploaden en 1024x768 word gewoon 800x600    //vrij in te stellen uiteraard.    $imgX = 800;//afb word geresized naar 800 breed    $imgY = 800;//afb word geresized naar 600 breed     foreach($_FILES as $img)    {    if (!empty($img['name']))//bestand is dus geupload er is een naam beschikbaar    {		    $randomname = date('dmy').rand(1,9999);//timestamp als naam	    $oldname = $img['name'];	    $ext = File::getExtension($oldname);	    //eerst geheel uploaden	    $upload = File::upload($img['tmp_name'],$dir.$randomname.'.'.$ext);	   	    //resizen naar een degelijk formaat	    $image = Image::resize($dir.$randomname.'.'.$ext, $randomname.'.'.$ext, $dir, array(		    array('width' => $imgX, 'height' => $imgY)	    ));	    //thumbnail maken	    $thumb = Image::cropImage($dir.$randomname.'.'.$ext, $thumbX, $thumbY);	    if (File::getExtension($oldname) == 'png')		    imagepng($thumb, $dir.$randomname.'_thumb.'.File::getExtension($oldname));	    elseif(File::getExtension($oldname) == 'jpg' || File::getExtension($oldname) == 'jpeg')		    imagejpeg($thumb,$dir.$randomname.'_thumb.'.File::getExtension($oldname));	    imagedestroy($thumb);    }    }    header('location:'.$_SERVER['PHP_SELF']);die;//het is aan te raden de pagina geforceerd te refreshen (anders heb je op F5 dezelfde foto nogmaals geupload}?><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>    <head>	    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">	    <link rel = "stylesheet" type="text/css" href="style1.css">	   	   	    <script type="text/javascript" src="lib/js/jquery.js"></script>	    <script type="text/javascript">	    </script>    </head>    <body>    <div>	    <div id="uploadzooi">		    <form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">			    <p class="titel">Categorie: </p><select name="cat">				    <?php					    foreach($fotocat as $key => $value)					    {						    print '<option value="'.str_replace(' ','_',$key).'">'.$key.'</option>';					    }				    ?>			    </select><br /><br />		    Bestand:<br /><input type="file" name="img" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img2" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img3" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img4" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img5" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img6" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img7" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img8" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img9" style="width:100px"/><br /><br />		    Bestand:<br /><input type="file" name="img0" style="width:100px"/><br /><br />		    <input type="submit" value="Upload" name="upload_submit" />		    </form>		    </div>		   		    <div class="lijsten">		    <ul>		    <?php			    echo '<p class="titel">Paarden</p>';			    printFotos('PAARDEN',true);		    ?>		    </ul>		    </div>		   		    <div class="lijsten">		    <ul>		    <?php			    echo '<p class="titel">Honden</p>';			    printFotos('HONDEN',true);		    ?>		    </ul>		    </div>		    <div class="lijsten">		    <ul>		    <?php			    echo '<p class="titel">Mensen</p>';			    printFotos('MENSEN',true);		    ?>		    </ul>		    </div>		   		    <div class="lijsten">		    <ul>		    <?php			    echo '<p class="titel">Eigen werk</p>';			    printFotos('EIGEN WERK',true);		    ?>		    </ul>		    </div>		   		    <div class="einde"></div>		   	    </div>    </body></html> <?php } ?>

I'm a beginner regarding to PHP: A friend of mine made the uploadscript. So when you have a solution, please explain in very, very simple words, haha Thanks in advance!

fotocat.php

index.php

pass.php

core.zip

script.js.zip

[birbal]

from where does the $_POST['pass'] is coming? i cant see any field for that or for user name in your form.

[birbal]

and also you have some problems in this code. you are not validating any of the user input from $_POST. you must validate any kind of user input. some examples...here$dir = 'uploads/foto/'.$_POST['cat'].'/' if user pass some/another/diffrfent/folder , it will be created in that sub directory. also check your password username condition checking. what if user pass a an invalid user name but correctpassword? can you see it? you should use likeif($username=='admin'&&$password=='pass'){//show reserveed data}

Edited July 18, 2012 by birbal

[BlowYourMind]

Thanks, when I filled in the correct pw but incorrect username, it still directed to the password protected page, so you were right :PI've changed the password and username check, changed it to this:

<?phpif($_POST["usern"] != "admin" or $_POST["pass"] != "admin") {echo "Gebruikersnaam en/of wachtwoord verkeerd ingevoerd!<br>";  }else {  ?> 

Now it only directs to the protected page when the username and password is correct (: Also, logging on is done on the index.php page:

<div id="logon" align="left" style="float:left;">	 <form action="pass.php" method="post" id="inlogding">		   Gebruikersnaam: <input name="usern" type="text" value="" size="9"><br />		   Wachtwoord:   <input name="pass" type="password" value="" size="9" style="margin-left:1px;"><br />		   <input type="submit" value="Log in">	 </form></div>

And about validating: Did you mean I should put "$dir = 'uploads/foto/'.$_POST['cat'].'/'" in my code? Because that line is already there..

Edited July 18, 2012 by BlowYourMind

[birbal]

validating means you have to check that the data you want to be pass are realy is that. as you are specifying directory name, think what should be in directory name? directory name mostly are alphanumeric character. so you will check it. directory name also can have other characters like underscores but if you dont need them just validate for alphanum. just give access as minimum as possible to get the job done. http://php.net/ctype_alnum