Now, somewhere on the first page I mentioned encryption.  PHP has some handy MD5 methods built into it, so we can very easily make use of those to convert the password entered by the visitor before it’s compared with the stored password.

MD5 is a one-way hashing algorithm, which means that the password can be encrypted in only one way – from plain text to encrypted text.  It is impossible to go the other way.  This doesn’t make it impossible to break. It's susceptible to brute force or dictionary attacks and substantial time periods, but it’s still pretty secure.  Add the following line after the $password declaration:

$md5password = (md5($password));

This saves an encrypted version of what is entered into the text field in the variable $md5password.  Now you need to modify your if statement so that it compares the stored password to the new encrypted password:

if (empty ($password))
    {
      die ("No password entered");
    }
  elseif ($md5password != $storedpass)
    {
      die ("Password Incorrect");
    }
  else
    {
      header("Location: securepage.htm");
    }

As you can see, we have only changed the variable in the elseif part of the statement.  This is because even an empty input variable hashes to a 32 digit value, so the $md5variable is never going to be empty, even if the submit button is clicked before any text has been entered into the input field.

All you need to do now is find out the hash is of the password you intend to store in the pass.txt file.  To achieve this, you can comment out the entire if statement and add an echo statement that displays the encrypted password on screen.  You can then copy the encrypted string and save it in the password file.  You must remember to uncomment the if statement and remove the echo call before using the script, however.

As far as the bare-bones script goes, that is pretty much it.  As far as the test files go, its pretty basic, but the HTML page can easily be incorporated into an existing page; you could stick it in a box and style it to match the rest of your homepage to improve that aspect of it, and you could probably include a timing function that waits for a set period of time before redirecting the visitor to the secure page, while displaying a message that the password was correct.  You could also include a similar set of functions for reloading the initial page after displaying the appropriate error message for a brief period without too much difficulty.

You can use the script to restrict access to specific pages within your site's structure. It doesn’t offer the security of the username/password authentication methods afforded by a database, and it means that you have to give the password to whoever you want to access the secure pages, but it offers a simple layer of security with a minimum amount of time and code.