I'm making a php form in which people who update the database on my website can use to add information. However, I wanted to somehow password protect the form so not just anyone could add stuff to the database.

Is that the best way to secure the form? If so how do I do that?

I would say the best way if you are using an SQL database is to create another table called "users" or something and put all the people you want to have access in there. Then have a log in that checks to see if the data entered in a form is the same as that in the database. If so, log them in. You can also encrypt the password, the most common way is the use of md5($passwordhere). It takes the password entered and turns it into a hash so it is a lot more secure. If you need the code on how to do this, let me know and I will get it to you when I have the time, right now I have to be going.

Yeah I'd rather not get into the whole user thing. Just a shared password I can give to everyone who is going to edit the content. If you can give me that code, that would be amazing!

Ok, here is the code. Every user can have the same name and pass or seperate ones, its up to you. This does use a username and pass, but its really no extra work to use a username too, and it is more secure.
<?php

// If form submitted
if ($_POST['login']) {
$user = $_POST['username'];
// Turn password into hash
$pass = md5($_POST['password']);

// Chech for user
$qry = mysql_query("SELECT * FROM `users` WHERE username = '$username'") or die ('Error Getting User! <br />' .mysql_error());
$u = mysql_fetch_array($qry);
$chk = mysql_num_rows($qry);

// See if useraname exists
if ($chk < 1) {
echo '<meta http-equiv="refresh" content="2;URL='.$_SERVER['PHP_SELF'].'" />
<span style="color: #FF0000"><b>Invalid Username!</b></span>';
}
// Check password
elseif ($pass !== $u['password']) {
echo '<meta http-equiv="refresh" content="2;URL='.$_SERVER['PHP_SELF'].'" />
<span style="color: #FF0000"><b>Invalid Password!</b></span>';
}
// If username and pass match database, set sessions
elseif ($pass == $u['password']) {

// Set username, password, and ip sessions
@session_start();
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];

echo '<meta http-equiv="refresh" content="2;URL=YOUR ADMIN HOME.php" />
<b>You are now logged in!</b>';
}
}

// If form not submitted
if (!$_POST['login']) {
?>
<!-- Login Form -->
<form method="post" action="">
<table width="232">
<tr>
<td width="75"><b>Username:</b></td>
<td width="145"><input type="text" name="username" /></td>
</tr>
<tr>
<td><b>Password:</b></td>
<td><input type="password" name="password" /></td>
</tr>
<tr>
<td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td>
</tr>
</table>
</form>
<!-- /Login Form -->
<?
} You will have to add your database connection info for it to work. Also note that near the end, replace the "YOUR ADMIN HOME.php" with the filename of you control panel. You will need to add this table to your database:
CREATE TABLE `users` (
`id` int(5) NOT NULL auto_increment,
`username` varchar(32) NOT NULL,
`password` varchar(32) NOT NULL,
PRIMARY KEY (`id`)
) TYPE=MyISAM;When you insert your users, be sure that when you set the password, it is using md5($password); because the password in the database must be stored as a hash for the submitted password to match it. Add this code to the top of your protected pages:
<?php
if(empty($_SESSION['user']) || empty($_SESSION['pass']) || $_SESSION[['ip'] !== $_SERVER['REMOTE_ADDR']) {
header("Location: login.php");
}
?> I didn't test it because I am on my way out for work, but it should work. If there are any issues, just let me know and I will check it out when I get the change. Hope this helps

be sure that when you set the password, it is using md5($password)

I don't really understand that part

I don't really understand that partWhen you insert the password that you want to use for all the users, put md5() around it. Say the password is test, do this:

$pass = 'test';
$password = md5($pass);md5 makes the password into a hash. In the login script, we check for a matching hash of the password they entered. Because we are not simply checking for the word "test", but the hash of test (something like: "098f6bcd4621d373cade4e832627b4f6"), we need to be sure that when the original password is set, we put it into the sql database as a hash. Then the script checks for a matching hash. It is easy for a hacker to figure out "test", mainly when using cookies, but its hard for them to figure out "098f6bcd4621d373cade4e832627b4f6". Hope this helps

do i define the passwords in the actual php document or only in the table?

do i define the passwords in the actual php document or only in the table?You only define the password when inserting them into the table. Here is what you can do to insert the password:
<?php

$username = 'your username';
$pass = 'your password';
$password = md5($pass);

$insert = mysql_query("INSERT INTO `users` (id, username, password) VALUES ('', '$username', '$password')") or die ('Error inserting data! <br />' .mysql_error());

echo 'User created successfully';

?>Hope that helps

Sorry Im still trying to figure this all out. This is all still a little new and confusing for me. So just to clarify:


<?php

// If form submitted
if ($_POST['login']) {
$user = $_POST['username'];
// Turn password into hash
$pass = md5($_POST['password']);

In that part of the login form, you leave it saying 'username' and do not put the information into the quotes, correct?

Correct, the $_POST['username']; gets the value entered into the username field of the form, same with the password.