SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Chicago
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Password Confusion

    I read Kevin Yanks book "Database Driven Website" and I'm a little confused if I am understanding how to validate a user. In short we have 3 directories that are password protected. The problem is when I go to directory 1 I am asked for my id and password. Then when I go to directory 2 I am again asked for an ID and password.

    I wrote the below code, but I'm not sure if this is correct and furthermore if our website grows to 20 directories do I have to create 20 separate auth401.php files to check for a good id/password and then re-direct to the requested page.

    Lastly as you can see below I have stored the password/id in MySQL. However, I assume even if I save the information as a cookie the authentication will fail since I am not passing;
    header('WWW-Authenticate: Basic realm="My Private Stuff"');
    header('HTTP/1.0 401 Unauthorized');


    <?php
    //check for required fields from the form
    if ((!$_POST[username]) || (!$_POST[password])) {
    header("Location: LoginForm.php");
    exit;
    }

    //connect to server and select database
    $conn = mysql_connect("localhost", "goodguy", "password") or die(mysql_error());
    mysql_select_db("testDB",$conn) or die(mysql_error());

    //create and issue the query
    $sql = "select f_name, l_name from auth_users where username = '$_POST[username]' AND password = password('$_POST[password]')";
    $result = mysql_query($sql,$conn) or die(mysql_error());

    //get the number of rows in the result set; should be 1 if a match
    if (mysql_num_rows($result) == 1) {
    //if authorized, get the values of f_name l_name
    $f_name = mysql_result($result, 0, 'f_name');
    $l_name = mysql_result($result, 0, 'l_name');

    //set authorization cookie
    setcookie("auth", "1", 0, "/", "website.us", 0);

    //prepare message for printing, and user menu
    $msg = "<P>$f_name $l_name is authorized!</p>";
    $msg .= "<P>Authorized Users' Menu:";
    $msg .= "<ul><li><a href=\"classes.php\">Todays Classes</a></ul>";
    } else {
    //redirect back to login form if not authorized
    header("Location: Loginform.php");
    exit;
    }
    ?>
    <HTML>
    <HEAD>
    <TITLE>User Login </TITLE>
    </HEAD>
    <BODY>
    <? print "$msg"; ?>
    </BODY>
    </HTML>

  2. #2
    does not play well with others frezno's Avatar
    Join Date
    Jan 2003
    Location
    Munich, Germany
    Posts
    1,391
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you could store user(id) and password in the session if the user logged in correctly.
    On any page which should be password protected you'll chaeck against those data.
    We are the Borg. Resistance is futile. Prepare to be assimilated.
    I'm Pentium of Borg.Division is futile.Prepare to be approximated.

  3. #3
    PHP Otaku Gibb's Avatar
    Join Date
    Jul 2004
    Location
    Texas
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you're trying to validate users through PHP? If so i suppose using SESSIONS would be the way to go. For my company site I have 3 separate password protected folders, and the only thing i needed to do was add a bit of code on the end of my httpd.conf file (assuming you're using Apache), and create a htpassword file.

    Here's the Apache tutorial on how to do this:
    http://httpd.apache.org/docs-2.0/howto/auth.html

  4. #4
    SitePoint Zealot
    Join Date
    May 2004
    Location
    Chicago
    Posts
    135
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Gibb
    you're trying to validate users through PHP? If so i suppose using SESSIONS would be the way to go. For my company site I have 3 separate password protected folders, and the only thing i needed to do was add a bit of code on the end of my httpd.conf file (assuming you're using Apache), and create a htpassword file.

    Here's the Apache tutorial on how to do this:
    http://httpd.apache.org/docs-2.0/howto/auth.html

    I have MySQL, Apache, and PHP available to me, but it does not look like my web hosting company allows me to view/edit httpd.conf file. I just sent them an email to figure this out.

    If I can edit this file (httpd.conf file) will this take of the issue of having to input the id/password multiple times. We have 3 directories that I password protected via the Host company interface (Protect Directories) with the same id and password. Currently the users are complaing of having to enter the id/password 3 times if they enter all 3 directories in one session.

    I'm a newbie so feel free to "dumb it down"

  5. #5
    PHP Otaku Gibb's Avatar
    Join Date
    Jul 2004
    Location
    Texas
    Posts
    454
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm a newbie myself, so there might be an easier way to do this (or consolidate it more):

    Here is the block of code i put at the end of my httpd.conf file:
    Code:
    <Directory /var/www/html/phpMyAdmin>
    AuthType Basic
    AuthName "Employees Only"
    AuthUserFile /etc/httpd/passwd/passwords.txt
    Require user admin
    </Directory>
    
    <Directory /var/www/html/admin>
    AuthType Basic
    AuthName "Employees Only"
    AuthUserFile /etc/httpd/passwd/passwords.txt
    Require user admin
    </Directory>
    "admin" is the name of the user for both of these folders, but you can create whatever usernames you want there, or use a group (several users at once). If the same user can access both folders, then he/she does not need to log in for each folder. Once you log into either of them, you can access the others without authentication.

    the passwords.txt file is created using the unix command htpasswd (instructions for using that are in the link i posted). There might be a way to consolidate the code because it's exactly the same except for the directory, but i am unaware of how to do that.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •