使用PHP密码保护没有数据库访问权限的页面
[英]Password protect a page without db access with php
问题描述
Is it possible to password protect a page without db access? 
是否可以用密码保护没有数据库访问权限的页面? I may have only few pages. 我可能只有几页。 But I should be able to change password and also save sessions etc. And I want a secure way as it's for production site! 但是我应该能够更改密码并保存会话等。我想要一种安全的方式,因为它适用于生产站点!
How is it to store in a config.php after md5: 在md5之后如何将其存储在config.php中:
<?php
username="admin";
password="1a1dc91c907325c69271ddf0c944bc72";
?>
If this is a good idea, is there a way to restrict access to this php from only one script called check.php or something? 如果这是一个好主意,是否有一种方法可以限制仅从一个名为check.php或类似内容的脚本访问此php?
4 个解决方案
解决方案1
2 已采纳 2010-08-04 05:16:55
Sure, why not? 当然可以,为什么不呢? You can use flat files in inaccessible directory (protected by .htaccess or out of the www root) and use that as a database. 您可以在不可访问的目录(受.htaccess保护或不在www根目录下)中使用平面文件,并将其用作数据库。
Here's a simple login class I've whipped up: 这是我介绍的一个简单的登录类:
class SimpleLogin {
private $users;
private $db = './pass.txt';
function __construct() {
$data = file_get_contents($this->db);
if (!$data) {
die('Can\'t open db');
} else {
$this->users = unserialize($data);
}
}
function save() {
if (file_put_contents($this->db, serialize($this->users)) === false)
die('Couldn\'t save data');
}
function authenticate($user, $password) {
return $this->users[$user] == $this->hash($password);
}
function addUser($user, $password) {
$this->users[$user] = $this->hash($password);
$this->save();
}
function removeUser($user) {
unset($this->users[$user]);
$this->save();
}
function userExists($user) {
return array_key_exists($user, $this->users);
}
function userList() {
return array_keys($this->users);
}
// you can change the hash function and salt here
function hash($password) {
$salt = 'jafo2ijr02jfsau02!)U(jf';
return sha1($password . $salt);
}
}
NOTE : You really should turn off error reporting if you are going to use this in an actual server. 注意 :如果要在实际服务器中使用它,则确实应该关闭错误报告。 This can be done by calling error_reporting() or by adding '@' in front of file_get_contents and file_put_contents (ie: so it turns into @file_get_contents ) 这可以通过调用error_reporting()或在file_get_contents和file_put_contents前面添加“ @”来完成(即:它变成@file_get_contents )。
Usage example : http://left4churr.com/login/ 用法示例 : http : //left4churr.com/login/
解决方案2
2
You should use .htaccess to do that. 您应该使用.htaccess来做到这一点。 You also can protect by .htaccess your sensible php files, with something like : 您还可以通过.htaccess保护敏感的php文件,例如:
Order Allow,Deny
Deny from All
解决方案3
1 2010-08-04 05:16:30
You could use HTTP authentication with PHP . 您可以将HTTP身份验证与PHP结合使用 。 Very good examples present in PHP-docu. PHP-docu中提供了很好的示例。
解决方案4
0 2010-08-04 05:27:01
Actually a database have nothing to do with password protection. 实际上,数据库与密码保护无关。
you can write login and password directly in your script as well as keeping in in the database. 您可以直接在脚本中写入登录名和密码,也可以保留在数据库中。
There is no need in restricting access to your php file. 无需限制对您的php文件的访问。 Being called over HTTP, it will be just blank page and nothing more. 通过HTTP调用时,它将只是空白页,仅此而已。
So, it's all right to store it that way. 因此,可以通过这种方式存储它。
Quite enough for the site that even don't use a database. 对于甚至不使用数据库的站点来说,已经足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.