Tutorial How to protect your php files from other people's with password ;)

Laszl0w

Well-Known Member
Joined
Oct 10, 2015
Messages
218
Reaction score
148
Points
103
Age
25
Location
Hungary
Make a file a call it to :
pw.php

Code:
<?php

$LOGIN_INFORMATION = array(
  'asd' => 'root',
  'Laszl0w' => 'adminpass',
  'turnmeon' => '19960806'  
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.custommta.cf/drx.php');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 0);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

##################################################################
#  SETTINGS END
##################################################################


///////////////////////////////////////////////////////
// do not change code below
///////////////////////////////////////////////////////

// show usage example
if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line):<br>&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
  <title>Enter Password</title>
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<body>
  <style>
    input { border: 1px solid black; }
  </style>
  <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
  <form method="post">
    <h3>Enter your Username & Password </h3>
    <font color="red"><?php echo $error_msg; ?></font><br />
<?php if (USE_USERNAME) echo 'Username:<br /><input type="input" name="access_login" /><br />Password:<br />'; ?>
    <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Login" />
  </form>
  <br />
  <a style="font-size:9px; color: #B0B0B0; font-family: Verdana, Arial;" href="http://r4p3.net" title="r4p3.net">Powered by Laszl0w</a>
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) )
  ) {
    showLoginPasswordProtect("Wrong password :).");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
  
    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
echo "Done!";
  }

}

?>
Usage:
On top of your secured php file.
Code:
<?php include("pw.php"); ?>
Login Credentials,you should change it:
Code:
$LOGIN_INFORMATION = array(
  'asd' => 'root',
  'Laszl0w' => 'adminpass',
  'turnmeon' => '19960806'  
);
If some people's wants to see your secured php file the server will ask them to login to watch it ;)
If he's logged in it will showed for him.
 

shockli

Contributor
Joined
Jan 29, 2016
Messages
243
Reaction score
194
Points
111
Location
South Africa
U can also do it with a .htaccess and a .htpasswd :)
And if your whole website gets leaked? Suddenly we have a password, but I guess that'll be the least of your problems then.

My point: FinFisher (german spyware to government company) had their files leaked a while ago and they relied fully on .htpasswd, they did not hash any of their sfuff, and they even used the same password for multiple things.

+1 for being more secure than OP
 

panteL

Restricted
Joined
Mar 17, 2016
Messages
146
Reaction score
44
Points
63
Location
Germany
Website
cyber.fr.to
And if your whole website gets leaked? Suddenly we have a password, but I guess that'll be the least of your problems then.

My point: FinFisher (german spyware to government company) had their files leaked a while ago and they relied fully on .htpasswd, they did not hash any of their sfuff, and they even used the same password for multiple things.

+1 for being more secure than OP
Oh shit yes ur right :S
Die deutschen denken Sie hätten alles im Griff. (all the German guys think it's all OK)
 

Top