Would this work? Simple client 'login' page

Scam · 20 May 2010 at 13:13

I'm trying to come up with the simplest way of implementing a 'client login' page on a small company's website that I'm building. I don't pretend to know how to script PHP, MySQL or anything. But I know HTML/CSS well, so anything I achieve on top of that is good for me. For example I've so far managed to create a PHP mailer form and a couple of jQuery scripts for design. Woop!

So. They want a page where they can have their clients login and download files. They would also like to be able to have their clients upload files -- but with my abilities (or lack of) I think that's just not going to happen.

I've been looking round at examples and not really finding much of use. So I was thinking that perhaps a really easy way of doing this with PHP is to simply do the following:

Assuming one of the client's folders is ../client/joebloggs

- Client logs in via a simple form with joebloggs/pass.
- If 'joebloggs' folder exists, show them that.
- If it doesnt exist, then show error (maybe just a modified 404?).

So it actually makes the password redundant, but thinking about what they're hosting for their clients I don't think this will be an issue. So I'm thinking if the user tries to enter a username that doesn't exist -- they just wont get anywhere. I think that should be enough security for them (they'll only be hosting videos or media). It also means they won't need to fiddle with any htaccess files or databases of usernames/passwords :confused:

I think I could get away with this, as I'm sure they're more worried about giving their clients a 'nice' experience on the website rather than having total security.

Any advice much appreciated!

Scam · 21 May 2010 at 11:23

I think maybe I just confused everyone!! Heh. I had a good go at this yesterday and am pretty pleased. This is what I came up with.

PHP:

<div id="container">
			<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="contact" onSubmit="return formValidate( this )">
			<h2>Please enter your username:</h2>
				<label for="username">Username:</label>
				<input type="text" name="username" />
					
				<input type="submit" class="submit" value="Submit" />
					<br />
			</form>
			
<div id="frame">
<?php 
// makes var $username from posted form
$username = ($_POST['username']);
//removes spaces
$username = str_replace(' ', '', $username);
// makes only alphanumerical chars allowed
$username = preg_replace('/[^a-z0-9]/i', '', $username);
// Make all lowercase
$username = strtolower($username);
//--------------------------------------
//uses the opendir function
$dir_handle = @opendir($username) or die("Unable to open $username");
echo "Directory Listing of $path<br/>";
//running the while loop to list files
while ($file = readdir($dir_handle)) 
{
   if($file!="." && $file!="..")
      echo "<a href='$username/$file'>$file</a><br/>";
}
//closing the directory
closedir($dir_handle);
?> 
</div>

Can anyone suggest improvements to that? Is it relatively safe with regards to the input? Also, how could I get it to stop showing 'Unable to open $username' before they've submitted the form?

Izi · 21 May 2010 at 12:01

could set a session and check if it exists

Scam · 21 May 2010 at 15:28

Hmn good idea thanks. I think I've solved it by checking whether or not the form has been posted. Seems to work.

I have another question. I'd like to be able to show the filesize next to the name. How do I do that? :confused:

Izi · 21 May 2010 at 20:05

Scam said:
Hmn good idea thanks. I think I've solved it by checking whether or not the form has been posted. Seems to work.

I have another question. I'd like to be able to show the filesize next to the name. How do I do that?

you would need to read the size of the file before saving in a database otherwise when the page loaded you would have to read the file, find its size and print it out. this would be a massive overhead.