Feb. 16, 2011, 6:14 p.m.
posted by romcheg
PHP and HTTP Authentication
PHP can use authentication from the Apache web server. PHP sends a header request to the browser requesting an authentication dialog on the client's browser. You'll recognize this prompt as a standard browser login prompt. Because the authentication head must come before any other HTML output, this works only with the module-based PHP installation, not the CGI version.
Figure shows how to use HTTP authentication.
Using HTTP authentication with a PHP script
The prompt for authentication to the Member Area realm
If the user clicks Cancel, he'll see Figure.
Clicking Cancel causes a message that the user must log in
That's a fairly simple example. We checked to see if the username and password were set, then displayed them to the user. The realm field provides a way for grouping related pages together for access restrictions. Any PHP page that presents the authentication headers within the same realm as the login page is accessible after a successful login. This spares the user from having to re-authenticate for each PHP page.
Figure validates the username and password retrieved from an authentication prompt. If they don't match, access to all pages in that realm is denied.
Checking the values returned from the authentication prompt
Figure checks that the authentication was set. If it wasn't, request a username and password. The elseif clause checks to see whether the strings are equal to each other.
This is different than simply comparing two strings with the equality (==) operator. When comparing input, the == operator can cause unexpected results. Therefore, use the strcmp function. The strcmp function returns 0 only when the two strings are identical. If either the username or password comparison returns a value other than 0, you deny access; otherwise, access is granted. If they don't match, request another authentication prompt from the user by sending authentication headers again. They then must come before any other output.
Storing a Username and Password in a Database
Let's revisit some of the knowledge you picked up back in Chapter 5. We're going to create a new table for users. Instead of comparing a username and password to values that are set in your PHP script, you'll check them against a database table called USERS. As explained in Chapter 5, you'll want to log into the command prompt and create a table using the syntax in Figure.
Creating the users table to store login information
This code returns:
Query OK, 0 rows affected (0.23 sec)
To add a user, you create an entry in the database for a user with an encrypted password, as shown in Figure.
Creating the entry in the database for a user with an encrypted password
Query OK, 1 row affected (0.01 sec)
To check that your row was created and see what the MD5 encoding function returned, you query the users table:
SELECT * FROM users;
+---------+------------+-----------+----------+----------------------------------+ | user_id | first_name | last_name | username | password | +---------+------------+-----------+----------+----------------------------------+ | 1 | Michele | Davis | mdavis | 5ebe2294ecd0e0f08eab7690d2a6ee69 | +---------+------------+-----------+----------+----------------------------------+ 1 row in set (0.00 sec)
Now that you've created the table, let's set up the login script to test a username and password. You encoded the password using MD5 to provide an extra layer of security. The password that created the encoded string cannot be determined from the stored string. This means that even if a malicious user finds out another user's encoded password, she can't use it to log in. However, this method is for testing only, and more secure options will be discussed later in the book.
Figure reuses much of the same code from the example in the previous section, so don't worry about having to rewrite too much! The major difference is that instead of using the strcmp command to check the username and password, you place them into a query and use the database to check for a match.
Don't forget that you still need your database login information in a file called db_login.php, shown in Figure.
The database login details
Verifying a username and password against the database
You may have to change display_errors = Off in the php.ini file if you get the following error.
Warning: headers already sent message causing the message box not to display.
This may be a little too much to consume at the moment, but save the script and run it, which displays the screen in Figure. Then try logging in with the username of mdavis and a password of secret.
Prompting for username and password before checking the database
You should see that the script handles the login, shown in Figure, with the database because there is a successful match of data.
A successful match with the database's credentials
If you entered something invalid, you'll see an unauthorized page such as Figure telling you that the username and password are incorrect.
An invalid username and password causes this message to display