topic
 

Be protected with the help of sessions.

In clause{article} I shall describe as to create small, but an effective script of authorization which will not allow uninvited persons to put the long nose on your site. The given example does not apply for a rank of an ideal method of protection, but will bypass nevertheless it  difficultly enough (I, at least, do not know as it to make). We shall present the following: you have closed site " for the " and you do not want that any bad persons there came. With it we will be helped by sessions. Passwords and logins we shall store{keep} in the table mysql.


On the first page (index.php) we do{make} the form for data input:



<form method=post action = "index2.php">

<table align = "center" cellspacing = "2" cellpadding = "2" border = "0" width = "320">

<tr>

<td width = "100"> the Name: </td>

<td width = "200"> <input type = "text" name = "name" <</td>

</tr>

<tr>

<td width = "100"> the Password: </td>

<td width = "200"> <input type = "password" name = "pass"> </td>

</tr>

<tr>

<td colspan = "2" width = "300">

<center>

<input type = "submit" value = "Input{Entrance}"> <input type = "reset" value = "To dump{reset}">

</center>

</td>

</tr>

</table>

</form>


I think here to explain it is necessary nothing. We go further: First the brief explanatory. We create function of check of the user check (). We have database my_site, containing fields id, name and pass, where name and pass - a login and the password of the user accordingly. Function passes{misses} only those who has specified a correct login and the password in the form ($name, $pass) on an input{entrance}, then these variables are saved in session, hence, while session is alive the user can to come on your site without authorization. Even having specified other correct login and the password, he will be authorized under the login specified earlier.


It is supposed, that connection with base mysql is already made also a database is chosen.



<?

function check ()

{

if (empty ($pass) || empty ($name))

error (" the login or the password is not specified ");

$sql = " select * from my_site where login = ' ". $ name. "'";

if ($show=mysql_query ($sql))

{

$a=mysql_fetch_array ($show);

if ($a [' pass']! = $ pass)

error (" Not a correct combination a login - the password ");

else

session_register ("name", "pass");

}

else

error (" the Mistake of search to a database ");

}

?>


Let's begin explanatories with the first line. if (empty ($pass) || empty ($name))

Whether we check the password and a login is set. If one of fields empty,

error (" the login or the password is not specified "); Here error is any function of a conclusion of a mistake.

In following clause{article} I am detailed zatronu this subject (a conclusion of a mistake, its{her} recording in a broad gully, sending of the report on a mistake, etc.) for now we can do without simple function:



<?

function error ($er)

{

echo $er;

exit (0);

}

?>


If fields are not empty, the script continues job.

$sql = " select pass from mysite where login = ' ". $ name. "'";

We write search to base mysql which will return to us value of a field pass, lines, where login = $ name.

if ($show=mysql_query ($sql))

If the search is processed without mistakes,

$a=mysql_fetch_array ($show);

We appropriate{give} a variable $a (an associative file) value of a field pass

if ($a [' pass']! = $ pass)

error (" Not a correct combination a login - the password ");

If the field pass does not correspond{meet} to that the user or to that is stored{kept} in session we again through function error deduce{remove} to him a mistake has entered.

else

session_register ("name", "pass");

Otherwise we write down variables $name and $pass in session and we continue to carry out a script.

}

else

error (" the Mistake of search to a database ");

}

?>

If there is a mistake in search to base mysql we besides deduce{remove} a mistake to the user.



So, in the beginning each page to which it is necessary to forbid access by the stranger we write:



<?

session_start ();

// This function opening or continuing job with sessions. She should

// To be set right at the beginning of page before sending heading of page.

check ();

// Our function of check.

?>


Now we shall check up logic of a script. If the person does not fill in one of fields and presses the button "input{entrance}" perejdja on page index2.php he will receive an inscription " the Mistake: the login or the password " is not specified.


If he specifies an incorrect login or the password to him the Mistake drops out ": Not a correct combination a login - the password ".


If he specifies all correctly will get on page index2.php where you store{keep} the secrets. Because the login and the password enter the name in session, the user can wander on yours over a secret site avtorizirovavshis` only once.


Possible{Probable} problems:


It is impossible to come on a site under different names.

If the person of times has gone on a site from his  computer it is possible to visit{attend} this site during some time (while session is alive) that is not so good if you work from the Internet of interior.

The decision of these problems will be described in following clauses{articles}. Also questions will be mentioned: system of detection of attacks and attempts of selection of the password, with sending the report by mail, function of a conclusion of mistakes, with recording in a broad gully a file.