Solved

How to set up a secure client area on my website?

Posted on 2010-08-15
11
1,238 Views
Last Modified: 2012-08-13
I am a graphic designer and would like to have a client area on my website.

Here's exactly what I'm looking to do:

Client Login Page:
- A way for the client to login and a way for them to sign up as a new client
- If a client forgets password, a way for it to be emailed to them.

When the client logs in it would then take them to their own client page.  

Client Page:
- All client pages will have the same content, except for a welcome "client's name" at the top of the individual's client page
- There will be a way for the client to upload pdf files to my server and give instruction for the file being uploaded.
- When they upload the pdf file, it sends me an email notification that a new file has been uploaded with the instructions they filled out on the upload form.
- Then there should be a way for them to log out.

Can someone please help me with this or let me know how I can accomplish this?

Thank you very much!
0
Comment
Question by:dmrussell12345
11 Comments
 
LVL 2

Expert Comment

by:Tekati68
ID: 33441428
You picked the right zone Web-Based CMS.  That is exactly what you need to do what you are asking to do here.  It will take a few plugins and maybe even some coding at that point which you could then ask for here and get what you need help with.

I would suggest a CMS like WordPress or Joomla to name a few free ones.  If you are willing to pay the one I would check out and use is the IP.Board stuff from http://www.invisionpower.com/products/board/ as they have an upload addon that would pretty much cover everything you want here.  Plus it is rock solid with excellent support.
0
 

Author Comment

by:dmrussell12345
ID: 33441457
Thank you for your input.

But it seems that a large scale cms is overkill for what I am trying to do.  I may have incorrectly sent it to the cms zone.  Unless there is a client area cms or possibly wordpress or joomla has a specific client area theme.

I look forward to any other comments that might assis me with this.



0
 
LVL 2

Expert Comment

by:Tekati68
ID: 33441495
Really what you are looking for is a simple CMS but have you tried things like Gallery2?  Its designed to upload pictures but might be able to handle what you need.
0
 

Author Comment

by:dmrussell12345
ID: 33441512
I just checked out Gallery2.  It seems to be more of a photo album service.  At first glance, not exactly what I need.  But I may look into it further.

I included this in the php zone.  Hopefully there will be some ideas from some php experts.

Thanks again for your input.  If you can think of anything else, please let me know.
0
 
LVL 2

Expert Comment

by:Tekati68
ID: 33441533
Well I am a bit of a PHP expert.  I know this is something I could build no problem but I know of no pre made program to do what you want here.  I have been around the scene for longer then I care to admit but have never seen an out of the box solution for you question.  The only other area I could suggest looking into is opensource bidding software.  Where you post your PDF quote for example and give your speech etc.  Might want to look into that.  I will do some quick searches for you as well and see if I can dig up anything that might help you.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:dmrussell12345
ID: 33441580
Thank you very much.  I greatly appreciate your assistance.

I found this tutorial.  http://webitect.net/coding/create-a-portfolio-client-area-using-php-and-mysql/

It is very close to what I want to do with two exceptions... 1) There is no code for forgotten passwords  2) I do not need a message board.  I just want the client to provide instructions that will be emailed to me when they upload a file.

Take a look at this and see if you can help me with the code for the forgotten passwords and upload intructions emailed to me.

Thanks!
0
 
LVL 4

Expert Comment

by:Frozenice
ID: 33441583
if you really want a customize cms..
you may want to start and learn PHP...

this is complicated for starters i admit..
unless if your willing to use one of a dozen opensource cms.




br
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33441637
This is not really a question, so much as a requirement for custom application development.  I would start with a platform like the ZEND framework since a lot of the "infrastructure" like registrations, logins, etc., has already been built for you.  You might prefer to use an open-source thing like Joomla, Drupal or Wordpress.  Your assessment that this might be "overkill for what I am trying to do" is exactly correct.  All of the open-source CMS systems have lots of features you don't want or need.  At least not now.  There is little penalty for having unnecessary parts in the systems.  If you don't want to use them, just don't use them, that's all.

My candid recommendation would be to hire a developer to help you get this set up.  You will get better results sooner, than if you tried to learn programming while developing an application that may have an effect (good or very, very bad) on your livelihood.  Your ongoing relationship with a developer may prove helpful since design and development often go hand-in-hand.

Best of luck with it, ~Ray
0
 
LVL 2

Expert Comment

by:Tekati68
ID: 33441670
While the webitect.net tutorial would work after some modification it is really old school coding and would need securing before I would unleash that to the public.  Its one thing building a personal site for a select group of people but when you build the site with a public interface you had better have your ducks in a row so to speak.

I still think a CMS just cut down to what you need to use is your best bet.  Or do like Frozenice says and learn PHP and roll your own but even that requires a lot of research and hard work.  Its easy to throw up a site with all kinds of security issues and a hole other ballgame to set one up correctly.  That is why the CMS software helps so much as they have HOPEFULLY done most of that work for you.
0
 
LVL 5

Accepted Solution

by:
eNarc earned 500 total points
ID: 33442997
Hi dmrussell12345, the below code is a secure login using sessions, based on the essential.

features.
----------
secure login
signup
email forgotten password
secure area
public area
-----------

if you want to be emailed when a user uploads files, simply put the mail script found in the below called mail()

put if($_SESSION['auth']){ at the top of each page if you are not using index file to secure the page.

you can use the below if your using the index as the front, for example each page would be ?root=#

in index.php
------
 if($_SESSION['auth']){
include('secure.php');
}else{
include('public.php');
}
------

you can also put  if($_SESSION['auth']){ in a header/top and } in the footer/bottom.


if my solution helped you in any way.. please do accept.. =)
it would be greatly appreciated.


thanks.. hope i help.

eNarc
<?php

//this is to start the session.

session_start();

//this is the table structure.

/*

--

-- Table structure for table `user`

--



CREATE TABLE IF NOT EXISTS `user` (

  `Id` int(10) NOT NULL auto_increment,

  `user` varchar(255) default NULL,

  `pass` varchar(255) default NULL,

  `email` varchar(255) default NULL,

  PRIMARY KEY  (`Id`)

) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

*/

//this is to connect to the database.

$dbhost = 'localhost';

$dbusername = 'root';

$dbpasswd = '';

$database_name = 'user';

$connection = mysql_pconnect("$dbhost","$dbusername","$dbpasswd") or die ("Couldn't connect to server.");

$db = mysql_select_db("$database_name", $connection) or die("Couldn't select database.");



//this is to search the mysql for the user and pass and fill in the session.

if(isset($_POST['login'])){

//this is protection to stop sql injections and other exploits.

	$user=mysql_real_escape_string($_POST['user']);

	$pass=mysql_real_escape_string($_POST['pass']);

//this is the query	

	$Q1R1=mysql_query("select user,pass from user where user = '$user' and pass = '$pass';");	

	$D1=mysql_fetch_array($Q1R1);



//this is the main session whether true or fals as to the users ability to view different content.

	$_SESSION['auth']=true;

//this is optional

	$_SESSION['user']=$D1['user'];

	$_SESSION['pass']=$D1['pass'];

	

}



//this is used to log the person out and reset the session based login.

if($_GET['logout'] == true){

	$_SESSION['auth']=false;

	echo "you have been successfully logged out<br>";

}	





//this should go to the of the page.

if($_SESSION['auth']){

//this is what a person will see if they are logged in with the correct username and password.

?>

You are Currectly logged in, would you like to <a href="?logout=true">Logout?</a> or go to <a href="?root=main">homepage</a><br />

your login details are below<br />

Name: <?php echo $_SESSION['user'];?><br />

Pass: <?php echo $_SESSION['pass'];?><br />

<?php

}else{

//this is for the forgotten password.

if($_GET['login']=='forgot'){

	if(isset($_POST['forgot'])){

	//this is protection to stop sql injections and other exploits.

		$email=mysql_real_escape_string($_POST['email']);

	//this is the query	

		$Q1R1=mysql_query("select user, pass, email from user where email = '$email';");	

		$D1=mysql_fetch_array($Q1R1);

	//this is to setup the mail script for you to enter your details.

		$to= $D1['email'];

		$from="email@example.com";

		$subject="Forgotten Password";

		$header="From: WebSite Name <$from>";

		$message = $D1['user']." & ".$D1['pass'];

		$sent=mail($to,$subject,$message,$header);





		//this is so that you can display some text to tell the user that the forgotten password has sent the password.

		if(isset($sent)){

			echo "your login details have been sent to ".$D1['email']."<br />";

		}	

	}

//this is what will be displayed whn they visit the forgotten password page

?>

would you please enter your email below or go to <a href="?root=main">homepage</a> or would u like to <a href="?login=signup">signup </a><br />

<form id="form1" name="form1" method="post" action="">

  <input name="email" type="text" id="email" value="email@example.com" />

  <input name="forgot" type="submit" id="forgot" value="Submit" />

</form>

<?php

//this is the signup of a user.

	}elseif($_GET['login']=='signup'){

	if(isset($_POST['signup'])){

	//this is protection to stop sql injections and other exploits.

		$user=mysql_real_escape_string($_POST['user']);

		$pass=mysql_real_escape_string($_POST['pass']);

		$email=mysql_real_escape_string($_POST['email']);

		

	//this is to check if the email is within the database.

		$Q1R1=mysql_query("select email from user where email = '$email';");

		$num1 = mysql_num_rows($Q1R1);

	//this is to check if the username is within the database.

		$Q1R1=mysql_query("select user from user where user = '$user';");

		$num2 = mysql_num_rows($Q1R1);		

		

//this will check if either is in the database.		

		if(($num1 != 0) or ($num2 != 0)){ 

			echo "username/email already taken.";

		}else{

			//no records of either name nor email, so we insert the data.

			$Q1R2=mysql_query("insert into user SET user='$user', pass='$pass', email='$email';");	

			echo "account made and you are logged in, you are welcome to go to <a href=\"?root=main\">homepage</a>";

		//this is the main session whether true or fals as to the users ability to view different content.

			$_SESSION['auth']=true;

		//this is optional

			$_SESSION['user']=$user;

			$_SESSION['pass']=$pass;

		}

	}

//this is the form.	

?>

<form id="form1" name="form1" method="post" action="">

  <input name="user" type="text" id="user" value="user1" />

  <input name="pass" type="text" id="pass" value="pass1" />

  <input name="email" type="text" id="email" value="email1@example.com" />

  <input name="signup" type="submit" id="signup" value="Submit" />

</form>



<?php		

	}else{

//this is what they see when they are not loggin with the correct username and password.

?>

would you please login or go to <a href="?root=main">homepage</a> or have you forgotten your <a href="?login=forgot">login details.</a> or would u like to <a href="?login=signup">signup </a><br />

<form id="form1" name="form1" method="post" action="">

  <input name="user" type="text" id="user" value="user1" />

  <input name="pass" type="text" id="pass" value="pass" />

  <input name="login" type="submit" id="login" value="Submit" />

</form>

<?php

	}

}

?>

Open in new window

0
 

Author Comment

by:dmrussell12345
ID: 33444730
Thank you very much eNarc!

At first glance, this appears to be exactly what I need.  I'm going to play with the code and make sure it works for my needs and then I will accept your help as the solution.

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article discusses how to create an extensible mechanism for linked drop downs.
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to dynamically set the form action using jQuery.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now