Passing a variable into header()function.

[invitezone]

This is not a VB question exactly its a php question, but im using it in a weird way on my forum, so im hoping someone will help me out

First let me explain what im trying to do.

I want to hide my forum so it looks like there is no forum. The way I want to do this is to make a fake shopping site, with a search box. The search box will be fully functioning, but if the secret passwphrase is entered into the search box, the user will be redirected to the forum and a cookie set so that they don't see the fake shop instead.
The way I am thinking to do this is to use a simple password script to replace the shops search function.


this is the login script I am thinking of using

sas.php

Code:

<?php

/* Config Section */

$pass		= 'demo';				// Set the password.
$cookiename	= 'sascookie';				// Optional change: Give the cookie a name. Default is sascookie
$expirytime	= time()+3600;				// Optional change: Set an expiry time for the password (in seconds). Default is 1 hour.
$msg		= 'Password incorrect.';	// Optional change: Error message displayed when password is incorrect. Default is "Password incorrect".

/* End Config */

/* Logout Stuff - Sept 5, 2005 */

if (isset($_REQUEST['logout'])) {
	setcookie($cookiename,'',time() - 3600);							// remove cookie/password
	if (substr($_SERVER['REQUEST_URI'],-12)=='?logout=true') {			// if there is '?logout=true' in the URL
		$url=str_replace('?logout=true','',$_SERVER['REQUEST_URI']);	// remove the string '?logout=true' from the URL
		header('Location: '.$url);										// redirect the browser to original URL
	}
	show_login_page('');
	exit();
}

$logout_button='<form action="'.$_SERVER['REQUEST_URI'].'" method="post"><input type="submit" name="logout" value="Logout" /></form>';
$logout_text='<a href="'.$_SERVER['REQUEST_URI'].'?logout=true">Logout</a>';

/* End Logout Stuff */

/* FUNCTIONS */
$encrypt_pass=md5($pass);	// encrypt password

function setmycookie() {
global $cookiename,$encrypt_pass,$expirytime;
	setcookie($cookiename,$encrypt_pass,$expirytime);
}	

function show_login_page($msg) {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Authorization Required</title>
<style type="text/css">
<!--
.error {color:#A80000}
body {font:90% Verdana, Arial, sans-serif;color:#404040}
#wrapper {width:800px;margin:0 auto;border:1px solid #606060}
#main {text-align:center;padding:15px}
#header {font:bold 130% Verdana, Arial, sans-serif;color:#DDDDDD;width:100%;height:5em;text-align:center;background:#A80000;line-height:5em}
#mid {margin:5em 0 5em 0}
#footer {font-size:75%;text-align:center;width:100%}
input {border:1px solid #606060; background: #DDDDDD}
-->
</style>
</head>
<body>
<div id="wrapper">
	<div id="header">Authorization Required</div>
<div id="main">
	<div id="mid">
		<p>Please enter the password below <em>Use "demo" to login. Use a wrong password to see the error message</em>.</p>

		<p>Once logged in, you won't need to re-enter the password for one hour, the expiry time can be customized to your liking by altering the variable $expirytime in the Config Section of sas.php.</p>

		<p>You will need to enable cookies for SAS to work as expected.</p>
		
		<form action="" method="POST">
			Password:&nbsp;<input type="password" name="password" size="20">&nbsp;
			<input type="submit" value="Login">
			<input type="hidden" name="sub" value="sub">
		</form>
		<div class=error><?=$msg?></div>
	</div>
</div>
</div>
<div id="footer">Authentication by <a href="http://www.zann-marketing.com/sas/">Simple Authorization Script</a> Copyright &copy; 2005.</div>
</body>
</html>
<? }

/* END FUNCTIONS */

$errormsg='';
if (isset($_POST['sub'])) {						// if form has been submitted
	$submitted_pass=md5($_POST['password']);	// encrypt submitted password
	if ($submitted_pass<>$encrypt_pass) {		// if password is incorrect
		$errormsg=$msg;
		show_login_page($errormsg);
		exit();
	} else {									// if password is correct
		setmycookie();
	}
} else {
	if (isset($_COOKIE[$cookiename])) {			// if cookie isset
        if ($_COOKIE[$cookiename]==$encrypt_pass) {	// if cookie is correct
		   // do nothing
		} else {								// if cookie is incorrect
			show_login_page($errormsg);
			exit();
		}
	} else {									// if cookie is not set
		show_login_page($errormsg);
		exit();
	}
}
?>

This script also comes with a demo page incase anyone wishes to run this to see it working, which is as follows.

demo.php

Code:

<? require('sas.php'); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Authorization Successful</title>
<style type="text/css">
<!--
.error {color:#A80000}
body {font:90% Verdana, Arial, sans-serif;color:#404040}
#wrapper {width:800px;margin:0 auto;border:1px solid #606060}
#main {text-align:left;padding:15px}
#header {font:bold 130% Verdana, Arial, sans-serif;color:#DDDDDD;width:100%;height:5em;text-align:center;background:#A80000;line-height:5em}
#footer {font-size:75%;text-align:center;width:100%}
input {border:1px solid #606060; background: #DDDDDD}
p {line-height:130%}
-->
</style>
</head>
<body>
<div id="wrapper">
	<div id="header">Authorization Successful</div>

	<div id="main">
		<p>
		If you can see this page, then you have successfully entered in the correct password for the Simple Autorization Script demo. We hope this example of the use of SAS meets your expectations.
		</p>
		
		<p>
		You will be able to access this page without entering in the password for the next hour. After which, you will be required to enter the password again.
		</p>
		
		<p>
		<strong>** New ** Optional logout feature.</strong> The logout button is an optional feature which you may like to include in your installation of SAS. To see the logout feature at work, please click on the logout button below. The logout button will expire the password (and cookie) and the login page should show up. 
		</p>
		
		<p>Logout Button:</p> <?=$logout_button?>
		
		<p>Logout Text:</p> <?=$logout_text?>
		
		<p>
		For installation instructions, see the <strong>readme.txt</strong> file located in the Simple Authorization Script folder, or view the <a href="http://www.zann-marketing.com/sas/installation.php">online version here</a>.
		</p>
		
		<p>
		If you found Simple Authorization Script useful, please make a small donation through PayPal.
		</p>
		
		<div style="text-align:center">
			<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
			<input type="hidden" name="cmd" value="_s-xclick" />
			<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but04.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!" />
			<input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIHPwYJKoZIhvcNAQcEoIIHMDCCBywCAQExggEwMIIBLAIBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYAOD1uTKjRp2+r51aImKlBZ6kz1BmprsfzYboHSEwHurMRQCPq1T3YoztKpUL3Axrb26blKhYMfHWNsg9NPgmjd+NI38ZhzgPnTO8Le325iyZmg5uNZ17G+333JQcOrP0qDSPdNxIyTFlN00R0OGovB06S0t5rnbZj19WHDrrTb+DELMAkGBSsOAwIaBQAwgbwGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIZL04RLFI+WiAgZh6TEP+w4+L8xsuYcvxNWaISWMGNB1u5o6D0cdHt67atrgfdzdEc9AS1XsSOUwcdC+AWL6j21e+O2eJYtqSYwTgw5JvcfZ5gIKE+bt2YQAOCFSftCiQxKjs+wUUoE3DoFdhmWeFhOWpnAnTiNjNICqCBy3ZiJct5fcKxDs/kYnbCE4URaKC5zUo1MM5Zph/pDhTspQssPunPaCCA4cwggODMIIC7KADAgECAgEAMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTAeFw0wNDAyMTMxMDEzMTVaFw0zNTAyMTMxMDEzMTVaMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwUdO3fxEzEtcnI7ZKZL412XvZPugoni7i7D7prCe0AtaHTc97CYgm7NsAtJyxNLixmhLV8pyIEaiHXWAh8fPKW+R017+EmXrr9EaquPmsVvTywAAE1PMNOKqo2kl4Gxiz9zZqIajOm1fZGWcGS0f5JQ2kBqNbvbg2/Za+GJ/qwUCAwEAAaOB7jCB6zAdBgNVHQ4EFgQUlp98u8ZvF71ZP1LXChvsENZklGswgbsGA1UdIwSBszCBsIAUlp98u8ZvF71ZP1LXChvsENZklGuhgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAgV86VpqAWuXvX6Oro4qJ1tYVIT5DgWpE692Ag422H7yRIr/9j/iKG4Thia/Oflx4TdL+IFJBAyPK9v6zZNZtBgPBynXb048hsP16l2vi0k5Q2JKiPDsEfBhGI+HnxLXEaUWAcVfCsQFvd2A1sxRr67ip5y2wwBelUecP3AjJ+YcxggGaMIIBlgIBATCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MDYxNTEwMTYwOFowIwYJKoZIhvcNAQkEMRYEFHhlmkIf0/x2XFyjUH0x4rgfTmDWMA0GCSqGSIb3DQEBAQUABIGAu7m74eh3WzSL7E9xPENb9ZVQkCUMHOCG6gjx+8Mfvcwbd9MXzkZKLIlDWYHkE/jDeJvCx+DiObS+lbddhzFkE9gOMrO7Y40eijhHSQjATGP845ZRx05d8kk18wtqVDKYMJ7/HGd3A+a7TfGXUIYbKTQ0BL2iCx7DucnnC4LCjto=-----END PKCS7-----" />
			</form>
		</div>
	
		<p>
		Support SAS by linking to us. You can use this information:
		</p>
		
		<textarea rows="2" cols="75">&lt;a href="http://www.zann-marketing.com/sas/"&gt;Simple Authorization Script&lt;/a&gt;&lt;br&gt;A simple php script which password protects web pages without a database.</textarea>
	
	</div>
</div>
<div id="footer">Authentication by <a href="http://www.zann-marketing.com/sas/">Simple Authorization Script</a> Copyright &copy; 2005.</div>
</body>
</html>

Now what I am trying to do is replace what happens when an incorrect password is entered into the script. So within sas.php we have the following code...

Code:

if ($submitted_pass<>$encrypt_pass) {		// if password is incorrect
		$errormsg=$msg;
		show_login_page($errormsg);
		exit();

I am hoping to modify this to use the header redirect() function
something like...
header("Location: http://FakeShopPage.com/search?=$submitted_pass");

This way if someone who didn't know about the forum tried to used the fake shop search function they would enter a search string into the search/password field, hit submit, and the script would see the password was incorrect and pass the submitted password variable into the search string, which would fool the user into thinking they have just searched for something and be none the wiser.

Another issue is that the password encryption in the script uses md5 hash. Being as old as it is now I would like to use something else. I have read that pbkdf2 is a good thing to use. is it possible to use that in this script?

I can use any other login script that you may be able to suggest, I am open to ideas. I want to have only 1 password for all users for this and be able to pass the submitted_pass variable into the search function. My main issue is Iobviously cant have a username involved, so this is the only script I could find.

I am not a coder, I am just trying to piece together info I have found. I did something very similar to this in the past, but cant remember how I did it, and now can't seem to get it to work. I know I am asking for a lot of help here, so I am greatful to anyone who can help me out.

Thanks everyone, reallyt appreciate it

[kh99]

I don't have a lot of advice to give you because I'm not familiar with existing scripts that do this kind of thing, I'm only familiar with vbulletin. In any case, it seems like what you posted should work:

Code:

http://FakeShopPage.com/search?=$submitted_pass

if that's the right url for the shop search. Have you tried it?


About the encryption: you could replace the calls to md5() with whatever encryption function you wanted. I think the built in php crypt() function: http://us2.php.net/manual/en/function.crypt.php used to depend on what was configured on your server, but I believe as of php version 5.3, it has all of the options built in, so it seems like if you want to use something more secure, that's an easy choice.

But looking at the script you posted, it seems the encrypted password is only used to set the password in the cookie. (I really don't know why the script even bothers to encrypt the password before checking it since it's got the plain text password available - maybe the author thought it might be modified to get passwords from a database or something). So I think you're really only worrying about the possibility of the cookie being obtained from the computer of someone who knew the password. I don't know how much of a security risk that is. I think the usual worry is someone stealing the encrypted passwords from a database, but in this case you don't have a database, and the password is stored in plain text in the script.

[invitezone]

All great advice, I really appreciate it.
You made some good observations there that I missed being a n00b

Thanks KH99