Hi, I am building my first news system using php and a modified guestbook.
newsUpdate.php containts a form that sends information to a database and than to news.php where the news gets updated.
Everything worked fine until I wanted to add a simple password protection to newsUpdate.php. Since I´m such a n00b with PHP i just downloaded one of those scripts that hides php content until you enter the correct password. The problem is that since I added the password protect, the news uploading isn´t working correct. Instead of taking me to news.php like it should it takes me to the login page of newsUpdate.php and no new news are added.
I would love some help on this matter!
Here is the code for newsUpdate.php:
<?
/************************************************************\
*
* PHP Pass Copyright 2005 Howard Yeend
* www.puremango.co.uk
*
* This file is part of PHP Pass.
*
* PHP Pass is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* PHP Pass is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with PHP Pass; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*
\************************************************************/
session_start();
//--------------------------
// user definable variables:
//--------------------------
// maximum number of seconds user can remain idle without having to re-login:
// use a value of zero for no timeout
$max_session_time = 5;
// type of alert to give on incorrect password:
// eg:
// $alert = "joe@foo.com"; - sends email to joe@foo.com
// $alert = "blah"; - appends to file named 'blah'
// $alert = ""; - no alerts
$alert = "./.ht_badlogins";
// acceptable passwords:
$cmp_pass = Array();
$cmp_pass[] = md5("password");
$cmp_pass[] = md5("password");
// add as many as you like
// maximum number of bad logins before user locked out
// use a value of zero for no hammering protection
$max_attempts = 3;
//-----------------------------
// end user definable variables
//-----------------------------
// save session expiry time for later comparision
$session_expires = $_SESSION['mpass_session_expires'];
// have to do this otherwise max_attempts is actually one less than what you specify.
$max_attempts++;
if(!empty($_POST['mpass_pass']))
{
// store md5'ed password
$_SESSION['mpass_pass'] = md5($_POST['mpass_pass']);
}
if(empty($_SESSION['mpass_attempts']))
{
$_SESSION['mpass_attempts'] = 0;
}
// if the session has expired, or the password is incorrect, show login page:
if(($max_session_time>0 && !empty($session_expires) && mktime()>$session_expires) || empty($_SESSION['mpass_pass']) || !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
if(!empty($alert) && !in_array($_SESSION['mpass_pass'],$cmp_pass))
{
// user has submitted incorrect password
// generate alert:
$_SESSION['mpass_attempts']++;
$alert_str = $_SERVER['REMOTE_ADDR']." entered ".htmlspecialchars($_POST['mpass_pass'])." on page ".$_SERVER['PHP_SELF']." on ".date("l dS of F Y h:i:s A")."
";
if(stristr($alert,"@")!==false)
{
// email alert
@mail($alert,"Bad Login on ".$_SERVER['PHP_SELF'],$alert_str,"From: ".$alert);
} else {
// textfile alert
$handle = @fopen($alert,'a');
if($handle)
{
fwrite($handle,$alert_str);
fclose($handle);
}
}
}
// if hammering protection is enabled, lock user out if they've reached the maximum
if($max_attempts>1 && $_SESSION['mpass_attempts']>=$max_attempts)
{
exit("Too many login failures.");
}
// clear session expiry time
$_SESSION['mpass_session_expires'] = "";
?>
<html>
<head>
<title>Enter Password</title>
</head>
<body>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<h4>Password Protected</h4>
<input type="password" name="mpass_pass">
<input type="submit" value="login">
</form>
</body>
</html>
<?
// and exit
exit();
}
// if they've got this far, they've entered the correct password:
// reset attempts
$_SESSION['mpass_attempts'] = 0;
// update session expiry time
$_SESSION['mpass_session_expires'] = mktime()+$max_session_time;
// end password protection code
?>
<!--hidden html content starts here -->
<?php
// include the database configuration and
// open connection to database
include 'configNews.php';
include 'opendbNews.php';
// check if the form is submitted
if(isset($_POST['btnSign']))
{
// get the input from $_POST variable
// trim all input to remove extra spaces
$name = trim($_POST['txtName']);
$message = trim($_POST['mtxMessage']);
// escape the message ( if it's not already escaped )
if(!get_magic_quotes_gpc())
{
$name = addslashes($name);
$message = addslashes($message);
}
// prepare the query string
$query = "INSERT INTO news (name, message, entry_date) " .
"VALUES ('$name', '$message', current_date)";
// execute the query to insert the input to database
// if query fail the script will terminate
mysql_query($query) or die('Error, query failed. ' . mysql_error());
// redirect to current page so if we click the refresh button
// the form won't be resubmitted ( as that would make duplicate entries )
echo "<meta http-equiv='refresh' content='0; url='news.php'>"; }
// force to quite the script. if we don't call exit the script may
// continue before the page is redirected
?>
<form method="post" name="guestform">
<table width="550" border="0" cellpadding="2" cellspacing="1">
<tr>
<td width="100">News Title:</td> <td>
<input name="txtName" type="text" id="txtName" size="30" maxlength="30"></td>
</tr>
<tr>
<td width="100">News Content:</td> <td>
<textarea name="mtxMessage" cols="80" rows="5" id="mtxMessage"></textarea></td>
</tr>
<tr>
<td width="100"> </td>
<td>
<input name="btnSign" type="submit" id="btnSign" value="Submit news" onClick="return checkForm();"></td>
</tr>
</table>
</form>
