Tutorial How to protect your php files from other people's with password ;)

Laszl0w

Well-Known Member
Oct 10, 2015
217
149
143
Make a file a call it to :
pw.php

Code:
<?php

$LOGIN_INFORMATION = array(
  'asd' => 'root',
  'Laszl0w' => 'adminpass',
  'turnmeon' => '19960806'  
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.custommta.cf/drx.php');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 0);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

##################################################################
#  SETTINGS END
##################################################################


///////////////////////////////////////////////////////
// do not change code below
///////////////////////////////////////////////////////

// show usage example
if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line):<br>&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
  <title>Enter Password</title>
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<body>
  <style>
    input { border: 1px solid black; }
  </style>
  <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
  <form method="post">
    <h3>Enter your Username & Password </h3>
    <font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Username:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
    <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Login" />
  </form>
  <br />
  <a style="font-size:9px; color: #B0B0B0; font-family: Verdana, Arial;" href="http://r4p3.net" title="r4p3.net">Powered by Laszl0w</a>
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) )
  ) {
    showLoginPasswordProtect("Wrong password :).");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
  
    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
echo "Done!";
  }

}

?>

Usage:
On top of your secured php file.
Code:
<?php include("pw.php"); ?>
Login Credentials,you should change it:
Code:
$LOGIN_INFORMATION = array(
  'asd' => 'root',
  'Laszl0w' => 'adminpass',
  'turnmeon' => '19960806'  
);

If some people's wants to see your secured php file the server will ask them to login to watch it ;)
If he's logged in it will showed for him.
 

shockli

Contributor
Jan 29, 2016
243
194
111
U can also do it with a .htaccess and a .htpasswd :)
And if your whole website gets leaked? Suddenly we have a password, but I guess that'll be the least of your problems then.

My point: FinFisher (german spyware to government company) had their files leaked a while ago and they relied fully on .htpasswd, they did not hash any of their sfuff, and they even used the same password for multiple things.

+1 for being more secure than OP
 

panteL

Restricted
Mar 17, 2016
146
44
63
And if your whole website gets leaked? Suddenly we have a password, but I guess that'll be the least of your problems then.

My point: FinFisher (german spyware to government company) had their files leaked a while ago and they relied fully on .htpasswd, they did not hash any of their sfuff, and they even used the same password for multiple things.

+1 for being more secure than OP
Oh shit yes ur right :S
Die deutschen denken Sie hätten alles im Griff. (all the German guys think it's all OK)
 
Top