Access only via login and password, Inhibiting direct access via url

Question

Access only via login and password, Inhibiting direct access via url

Asked 9 years ago

Viewed 10,359 times

1

I made an access login system, but I would like the user to be obliged to access it with the login and password, inhibiting direct access via url.

Anyone can access the page via URL by entering the address. I would like to inhibit this type of access, so that the user could only access the page via login and password!

I will be adding the codes created below:

Login Code:

<?php 
session_start();
$_SESSION['logado'] = 1;
?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><?php include "../conexao.php"; ?>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Painel Adm. - Login</title>
<link href='http://fonts.googleapis.com/css?family=Oswald:400,300,700' rel='stylesheet' type='text/css' />
<link rel="stylesheet" type="text/css" href="css_login/style.css" />
</head>

<body>
<?php
$logotipo = $_POST['logotipo']; 

$query = mysql_query("SELECT * FROM topo");
$res = mysql_fetch_array($query);
?>

<div id="logo" class="form bradius">
<div align="center" class="logo"><img src="../upload/<?php echo $res['logotipo'] ;?>" width="auto" height="58" /></div>
<div class="acomodar">
<form name="enter" method="post" action="" enctype="multipart/form-data">
<label for="login">Login: </label><input id="login" type="text" class="txt bradius" name="login" value="" />
<label for="senha">Senha: </label><input  id="senha" type="password" class="txt bradius" name="senha" value="" />
<input type="submit" class="sb bradius" name="enter" value="Entrar" />
</form>
<?php
if(isset($_POST['enter'])){

$login = $_POST['login'];
$senha = $_POST['senha'];

$query = mysql_query("SELECT * FROM usuario WHERE login = '$login' AND senha = '$senha'");
$conta = mysql_num_rows($query);

if($conta == '0'){
echo "<script language='javascript'>window.alert('Usuario e senha nao corresponde!');</script>";
}else{

while($res = mysql_fetch_array($query)){
$id = $res ['id'];
$nome = $res ['nome'];
$login = $res ['login'];
$senha = $res ['senha'];
$nivel = $res ['nivel'];

if($nivel == 'admin'){
echo "<script language='javascript'>window.location='http://www.buziosnegocios.com.br/admin/painel/index.php?login=$login&senha=$senha';</script>";
}else{
echo "<script language='javascript'>window.alert('Erro ao acessar seu Painel Admin.!');</script>";
}}}}
?>

<!--acomodar-->
</div>
<!--login-->
</div>
</body>
</html>

Page to be inhibited to direct access via URL:

<?php
session_start();
if (!isset($_SESSION['logado']) || $_SESSION['logado'] !== 1){
header("Location: http://www.buziosnegocios.com.br/admin/index.php");   
} else { 
$username = $_SESSION['user'];
$idusername = $_SESSION['iduser'];
session_destroy();
exit;
}
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Page</title>
<meta name="generator" content="WYSIWYG Web Builder 10 - http://www.wysiwygwebbuilder.com">
<link href="#.css" rel="stylesheet" type="text/css">
</head>
<body style="
background-color: #FFF;
color: #000000;
font-family: Arial;
font-size: 13px;
margin: 0;
text-align: center;">

<div id="container" style="
background-color: #FF6;
width: 1000px;
position: relative;
margin: 0 auto 0 auto;
text-align: left;">

<br>
Menu
<br>

</div>
</body>
</html>

If friends can help me inhibit direct access via URL, I would be very grateful.

A QUARREL to all for the attention.

Study about Sqlinjection and PDO, about the session is pure logic. Look for examples on youtube... An example of a Sqlinjection fault in your system is ... Put that in the user -> admin' OR 1=1#

– Hiago Souza

2015/06/23 at 18:41
Then enter any password and you will have access to the system.

– Hiago Souza

2015/06/23 at 18:41
To inhibit access as you asked, put under the Location a die.

– Hiago Souza

2015/06/23 at 18:42

3 answers

2

If when logging in you start the session by placing $_SESSION['logado'] = 1 suffice you put in a file funcoes.php where their pages call them, and perform a function for example:


function validaAcesso($usuario){
   if(empty($usuario)):
      header("Location: http://www.buziosnegocios.com.br/admin/index.php");
   endif;
}

validaAcesso($_SESSION['logado']);

If the session is empty it has not logged on through the panel, then redirect it.

you can apply the same idea to the disconnect button from the panel


function desconectar(){
   session_unset();
    header("Location: http://www.buziosnegocios.com.br/admin/index.php");
}

clicked, removed the session and returned to the login, of course there are n ways to do but this gives you a good idea of how to proceed.

Browser other questions tagged php html

You are not signed in. Login or sign up in order to post.

by Murilo Cabral • **431** points · Answer 1 · 2015-06-24T19:49:19+00:00

Hello friends I am answering my own question, because I managed to solve with the help of a Youtube tutorial https://www.youtube.com/watch?v=-yUMdFWrPJc (That I would like to share with friends), with some adaptations to my project, and I will publish below the codes that I created to make it work.

Page of Login:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><?php include "../conexao.php"; ?>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Painel Adm. - Login</title>
<link href='http://fonts.googleapis.com/css?family=Oswald:400,300,700' rel='stylesheet' type='text/css' />
<link rel="stylesheet" type="text/css" href="css_login/style.css" />
</head>

<body>
<?php
$logotipo = $_POST['logotipo']; 

$query = mysql_query("SELECT * FROM topo");
$res = mysql_fetch_array($query);
?>

<div id="logo" class="form bradius">
<div align="center" class="logo"><img src="../upload/<?php echo  $res['logotipo'] ;?>" width="auto" height="58" /></div>
<div class="acomodar">
<form name="enter" method="post" action="logar.php" enctype="multipart/form-data">
<label for="login">Login: </label><input id="login" type="text" class="txt bradius" name="login" value="" />
<label for="senha">Senha: </label><input  id="senha" type="password" class="txt bradius" name="senha" value="" />
<input type="submit" class="sb bradius" name="enter" value="Entrar" />
</form>
<!--acomodar-->
</div>
<!--login-->
</div>
</body>
</html>

Page login.php:

<?php 
session_start();
?>
<?php include "../conexao.php"; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Logando Usuário</title>
<script type="text/javascript">
function logado(){
setTimeout("window.location='painel/index.php'", 5000); 
}

function deslogado(){
setTimeout("window.location='index.php'", 5000);    
}
</script>
</head>
<body>
<?php 
$login = $_POST["login"];
$senha = $_POST["senha"];
$sql = mysql_query("SELECT * FROM usuario WHERE login = '$login' and senha = '$senha'") or die(mysql_error());
$row = mysql_num_rows($sql);
if ($row > 0){
$_SESSION["login"]=$_POST["login"];
$_SESSION["senha"]=$_POST["senha"];
    echo "<script>logado()</script>";
}else{
    echo "<center>Login ou Senha do usuário inválido! Tente Novamente!</center>";
    echo "<script>deslogado()</script>";
}
?>
</body>
</html>

Restricted page.php:

<?php
session_start();
if(!isset($_SESSION["login"]) || !isset($_SESSION["senha"])){
header("Location: ../index.php");
exit;
}
?>

Page logout.php:

<?php
session_start();
session_destroy();
header("Location: index.php");
?>

Access page to index.php Panel:

<?php include "../restrito.php"; ?>

<?php include "topo.php"; ?>
<?php include "cont.php"; ?>

Reminding friends that I have included the restricted.php page on every page that I want to be restricted to the user with access via login and password, no conditions to access them directly via url.

I thank you all for the attention paid to my problem, and I hope to help with this solution I found so that the restriction functioned via direct access through the URL.

Hugs to all.

by Igor Silva • **661** points · Answer 2 · 2015-06-23T20:57:06+00:00

0

Buddy, it’s more like that:

Either vc does a function that checks if there is a session with the logged in user, or vc includes the verification code on each page you n want q to be directly accessed.

In the logic, you check whether the user entered in the form is equal to the bd, as well as the password as well. If true, create the session and redirect to the page to be accessed, if false you destroy the session and redirect to the login page.

I hope I’ve helped.

if($userp == $user && $passp == $pass) {

    $_SESSION['user'] = $userp;
                        $_SESSION['pass'] = $passp;
                        header('Location: inserir.php');
                        exit(); 
                   }else{
                        unset($_SESSION['user']);
                        unset($_SESSION['pass']);
                        header('Location: index.php');
                    exit();

}

if it’s false means he doesn’t have the session, so it’s unnecessary to remove it since it doesn’t exist.

– Gabriel Rodrigues

2015/06/23 at 21:03
I would destroy the session, as soon as the session is only closed with the closing of the browser, other applications may have sessions created with the same name and if it is not destroyed at some point it may not redirect the page, so I am sure that the session is closed. But it is up to our friend to destroy the session or not and redirect if the data is false.

– Igor Silva

2015/06/23 at 21:11
Hello Igor, good night! I created a file called protecao.php with the code you recommended, and it looks like this: <?php
if($userp == $login && $passp == $senha) {

 $_SESSION['login'] = $userp;
 $_SESSION['senha'] = $passp;
 header('Location: http://www.buziosnegocios.com.br/admin/painel/index.php');
 exit(); 
 }else{
 unset($_SESSION['login']);
 unset($_SESSION['senha']);
 header('Location: http://www.buziosnegocios.com.br/admin/index.php');
 exit(); 
}
?>

– Murilo Cabral

2015/06/24 at 00:44
But Igor, I’m getting the following message: Warning: Cannot Modify header information - headers already sent by (output Started at /home/buziosne/public_html/admin/panel/index.php:2) in /home/buziosne/public_html/admin/protecao.php on line 6 Either logging in and password or directly through the URL. The login and access password for testing is: Login - user / Password - 123 I’m very laity in php if you can show me where I’m going wrong I’m grateful. Test access address: (http://www.buziosnegocios.com.br/admin/painel/) Thank you for your attention.

– Murilo Cabral

2015/06/24 at 00:51
Friend, make sure you have logged in, remembering that the session should always be at the top of the page. As you will use the header Location in the middle of the page, you should use before session_start() the ob_start() that should be before session_start();

– Igor Silva

2015/06/24 at 15:16
<?php ob_start(); session_start(); $user = 'Igor'; $pass = '123456'; $userp = $_POST['user']; $passp = $_POST['pass']; if($userp == $user && $passp == $pass) { $_SESSION['user'] = $userp; $_SESSION['pass'] = $passp; header('Location: insert.php'); Exit(); }Else{ unset($_SESSION['user']); unset($_SESSION['pass']); header('Location: index.php'); Exit(); } ob_end_flush(); ?>

– Igor Silva

2015/06/24 at 15:18

Show 1 more comment