Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Javscript - Username check

  • 20-09-2007 6:32pm
    #1
    Registered Users, Registered Users 2 Posts: 3,428 ✭✭✭


    Hi Lads,

    I was just wondering if this was an ok way to check a username and protect a username and password required page?

    What happens if they disable javascript?
    <?php 
    session_start();
    $username=$_SESSION['MM_Username'];		
    
    if ($username=="")	{
     print "<script type=\"text/javascript\">";
     print " self.location='index.php';";
     print "</script>";
     }
     ?>
    


Comments

  • Registered Users, Registered Users 2 Posts: 3,594 ✭✭✭forbairt


    think about it for a second ...

    you're letting the client decide what page they want to go to ...

    what happens if they have javascript turned off ? ...

    It might be an ok solution on some internal page ... where security doesn't matter ... but ... no ... its not a good solution


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    It depends on your definition of protection

    Option 1 - Disable javascript - I get in

    Option 2 - I look at the javascript and get in that way

    If you want a basic password protection use .htaccess

    If you want something more advanced there are plenty of ways of doing it, but in any case doing it client-side is not the solution


  • Registered Users, Registered Users 2 Posts: 14,761 ✭✭✭✭Winters


    GaryCocs wrote:
    Hi Lads,

    I was just wondering if this was an ok way to check a username and protect a username and password required page?

    What happens if they disable javascript?

    If they disable JavaScript then they will generally get a blank page. Something you should look into that would be far easier would be the header function in PHP. See below.

    [php]<?php
    session_start();
    $username=$_SESSION;

    if (empty($username)) {
    header ("Location: index.php");
    }
    ?>
    [/php]

    Much neater, quicker and does not wait for the page and the javascript to load before redirecting.


  • Registered Users, Registered Users 2 Posts: 3,428 ✭✭✭randombar


    Hi Winters,
    Nice one for that, just have to change that code in a few pages, was wondering about that for a while. I wasn't sure if you could disable the javascript on a page before the page loaded!
    The .htaccess? How does that work black knight?
    Thanks


  • Registered Users, Registered Users 2 Posts: 3,594 ✭✭✭forbairt


    I could explain ...

    but I'll point you at ... http://www.javascriptkit.com/howto/htaccess.shtml

    Your hosting provider may also have a handy feature in their cpanel or similar that will allow you to turn on password protection for a directory ...

    It will mean however that you get a nasty Alert box style dialogue asking you to enter username / password


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Remember when you use the php header() function to redirect someone, to call exit() afterwards.

    When you redirect someone with header(), the browser moves off to that page, but the php script continues to execute. So theoretically someone can inject some variables into your script, even if they don't the right username and password.


  • Registered Users, Registered Users 2 Posts: 3,428 ✭✭✭randombar


    So the code is going to look something like this?
    <?php 
    session_start();
    $username=$_SESSION['MM_Username'];        
    
    if (empty($username))    {
     header ("Location: index.php");
     exit();
     }
    
    
    ?> 
    


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Something like that, but that piece of code in particular won't work. Don't forget your semicolons ;)


  • Registered Users, Registered Users 2 Posts: 3,428 ✭✭✭randombar


    Haha eh ya . . . . what semicolons :)


  • Closed Accounts Posts: 2,046 ✭✭✭democrates


    Based on that question I should warn about hidden form fields too. 'View Source' and the user sees them. Save the page and they can edit the values, open in their browser and submit.

    You have to have security on the server, trust nothing that comes from the browser, in fact there may be no browser at all, a perl script can mimic any browser and let that person send any GET and POST name/value pairs they like to your script.


  • Advertisement
Advertisement