Home arrow PHP arrow Page 7 - Building A Quick-And-Dirty Guestbook With patGuestbook (part 2)

Locking It Down - PHP

In this concluding article of our two-part series on rapid guestbook implementation with patGuestbook, find out how to tweak patGuestbook a litle more by controlling the viewable entries, customizing the user interface, and protecting access to the administration module.

  1. Building A Quick-And-Dirty Guestbook With patGuestbook (part 2)
  2. Adopting A Moderate Approach
  3. If Looks Could Kill...
  4. Bringing In The Database
  5. A Well-Formed Plan
  6. When Things Go Wrong
  7. Locking It Down
  8. Over And Out
By: Harish Kamath, (c) Melonfire
Rating: starstarstarstarstar / 76
March 11, 2003

print this article


If there is one drawback to the patGuestbook application, it is the lack of security for the administration module. By default, patGuestbook leaves the entire administration section totally unprotected and open to malicious attacks. If you're using the Apache Web server (you probably are), you can access the server's authentication features to add basic security to this section.

In order to illustrate how this works, let's consider a simple example. Let's assume the existence of the following directory structure:

/usr/local/apache/htdocs/patGuestbook/ example.php /admin/ guestbook.php
Now, let's suppose that I want to protect the directory "admin". It's fairly simple to do with HTTP authentication.

The first step is to ensure that your Apache build includes support for the "mod_auth" module. You can check this by executing the Apache binary with the "-l" command-line option.

$ /usr/local/apache/bin/httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_setenvif.c mod_php4.c
If you don't see "mod_auth" in the list, you'll need to recompile Apache with support for that module.

Next, check Apache's configuration file, "httpd.conf", and ensure that the option

AllowOverride All
is present in the section for the server document root. This allows you to override global server settings via per-directory ".htaccess" control files.

Next, create a file named ".htaccess" in the "admin" directory, and put the following lines into it:

AuthType Basic AuthUserFile /usr/local/apache/users AuthName "patGuestbook Administration Module" Require valid-user
This tells the server that access to the "admin" directory (the directory in which the ".htaccess" file is located) is to be controlled, and access is to be granted to users based on the username/password information in the file "/usr/local/apache/users"

The final step is to create the "users" file. Change to the "/usr/local/apache" directory (or whichever directory you've decided to store the user data in) and use the "htpasswd" command:

$ htpasswd -c users john New password: **** Re-type new password: **** Adding password for user john
You can add more users to this file if you like (remember to omit the "-c" parameter for all subsequent additions, as that parameter creates a brand-new, empty file).

Remember *not* to store the "users" file in a directory under the server document root, or else malicious users will be able to view and download the password database through a browser.

Now, attempt to access the "admin" directory via your Web browser. The browser should pop up a dialog box and prompt you for a username and password. Access to the "admin" directory will be granted only if you enter a correct username and password, as defined in the "users" file.

Note that this is very primitive authentication, and can substantially add to the load on your Web server if it involves a large number of users. For a more comprehensive solution, take a look at User Authentication with patUser

>>> More PHP Articles          >>> More By Harish Kamath, (c) Melonfire

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: