Security concern

Started by hbarbosa, January 15, 2009, 12:25:48 AM


Dear Zubrag,

I just downloaded your script and put it to work on my personal
website at the university. Its working great. I'am using it to protect
a webpage where my students upload their homeworks.

However, I've a security question.

My webpage is located in my home directory, which is automatically
mounted via NFS on all machines in my institution, under
a folder called public_html. Of course, this directory and all files therein
must have reading permissions to all users in order to the website to work.

Therefore, anyone with access to a machine where my account is
mounted will also have access to the file password_protect.php and
hence to the passwords of all users!

Is there anyway to avoid this?



I have once looked into protecting folders on Windows - try Googling password protect folder.

Hope you find a solution - let us know.



Hi David,

Server is running Linux, not Windows.

Just to clarify what the problem is: In my case I'm a
regular user, not root... and hence my webpage is located
inside my home directory:


I'am not an expert but I understood as following.

If I change the permissions of the files inside my public_html
folder so that Apache has access to them, then
anyone will also have access. I mean, anyone with access to my
machine via ssh, telnet or local use, or to any machine
in my institute, since all of them mount the users
homedirs using NFS.

So, If a clever student of mine look at the link to the login
webpage, they will know that the file is called "~username/login.php".
Hence, they can take a look in the file content and find out
that its first line:

<?php require($DOCUMENT_ROOT . "password_protect.php"); ?>

points to another file... and by looking inside "password_protect.php" they
will find out everyone's passwords!!

In a single user environment this script is very secure, but
in a multi-user one...



I assume you make, then give the password to each student, then add that pasword to "password_protect.php".

NEVER save a password as 'clear' text - make a password OR BETTER use a program to make one
then get a "MD5" sum of that password, give the student the password and put the "MD5" sum
in "password_protect.php" as the password.

Add a line of code in "password_protect.php" to make a "MD5" sum of what the student
inputted as his password, test this sum with the sum you entered.


Most of them have already answered your question :)


Please can anybody resolve this?? i have the same issue..


Look to protect with password some .php script just copy this code below and enter your MD5 pass hash it and it will require login to that script every time,try....

$auth_pass = "MD5 password hash goes here!!!";
function wsoLogin() {
   die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");

function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);

if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))

or this will do the same thing pretty much...


$hrver = "Whatever PHP script which needs password protection";
$self = $_SERVER['PHP_SELF'];
$admin_pass = '1mirek';

$is_admin = false;

if ((@$_SESSION['adminpass'] === md5($admin_pass)) or (@$_POST['password'] == $admin_pass)) {
        $is_admin = true;
        $_SESSION['adminpass'] = md5($admin_pass);
if (isset($_POST['logout'])) {
    $is_admin = false;
    unset ($_SESSION['adminpass']);
if ($is_admin !== true) {

    if (isset($_POST['password'])) {
        alert("Wrong again get lost!");
        die('<br /><br /><br /><big><strong><center><blink>Wrong Password!!!</blink></center></strong></big>');

If somebody have some problems with adding password logins to PHP scripts feel free to ask for help!


That is amazing! Thanks for your help, I had the same problem..!