HomePHP Page 7 - Building A Quick-And-Dirty Guestbook With patGuestbook (part 2)
Locking It Down - PHP
In this concluding article of our two-part series on rapid guestbook implementation with patGuestbook, find out how to tweak patGuestbook a litle more by controlling the viewable entries, customizing the user interface, and protecting access to the administration module.
If there is one drawback to the patGuestbook application, it is the lack of security for the administration module. By default, patGuestbook leaves the entire administration section totally unprotected and open to malicious attacks. If you're using the Apache Web server (you probably are), you can access the server's authentication features to add basic security to this section.
In order to illustrate how this works, let's consider a simple example. Let's assume the existence of the following directory structure:
This tells the server that access to the "admin" directory (the directory in
which the ".htaccess" file is located) is to be controlled, and access is to be granted to users based on the username/password information in the file "/usr/local/apache/users"
The final step is to create the "users" file. Change to the "/usr/local/apache" directory (or whichever directory you've decided to store the user data in) and use the "htpasswd" command:
$ htpasswd -c users john
New password: ****
Re-type new password: ****
password for user john
You can add more users to this file if you like (remember to omit the "-c" parameter
for all subsequent additions, as that parameter creates a brand-new, empty file).
Remember *not* to store the "users" file in a directory under the server document root, or else malicious users will be able to view and download the password database through a browser.
Now, attempt to access the "admin" directory via your Web browser. The browser should pop up a dialog box and prompt you for a username and password. Access to the "admin" directory will be granted only if you enter a correct username and password, as defined in the "users" file.
Note that this is very primitive authentication, and can substantially add to the load on your Web server if it involves a large number of users. For a more comprehensive solution, take a look at User Authentication with patUser