Page 1 of 1

Useing Authentication for users problem

Posted: Tue Sep 28, 2010 4:54 pm
by BrettCarr
hi, im trying to set up a login set But im unsure if im doing this correctly, any advice would be great
It seems to only half work?? I want to use md5 to send the info but i have no idear how to do it or even sure if thats the way to go,,, as i said any advice would be great also I would like to mention I can't seem to clear the $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']variables or it seems to be stuck to the last login detail so i can't try to type the password in again

Code: Select all

<?php
include_once($_SERVER['DOCUMENT_ROOT'].'/includes/global.php');
$d = new User();
$d->connect(HOST, USERNAME, PASSWORD, DATABASE);


//if the use hits cancle do this stuff
if (!isset($_SERVER['PHP_AUTH_USER']))
{
    header('WWW-Authenticate: Basic realm="Sales Coastal Coasters"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
}
// checks the user_name and pass_word with query, if found directs them to info.php
// would like to send this stuff with md5 but have no idear how
 else {
   $d->query("SELECT * FROM sales_people WHERE user_name ='{$_SERVER['PHP_AUTH_USER']}' && pass_word = '{$_SERVER['PHP_AUTH_PW']}';");
if ($d->next())
{
$host  = $_SERVER['HTTP_HOST'];
$uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra = 'info.php';
header("Location: http://$host$uri/$extra");
}
 else
{

 //If fail sends to other page
header("HTTP/1.0 401 Unauthorized");
$host  = $_SERVER['HTTP_HOST'];
$uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra = 'login.php';
header("Location: http://$host$uri/$extra");
print "Sorry - you need valid credentials to be granted access!\n";
 exit;
} 
}

?>

Re: Useing Authentication for users problem

Posted: Tue Sep 28, 2010 11:20 pm
by twinedev
Quick check (there may be other issues in the code):

Code: Select all

$d->query("SELECT * FROM sales_people WHERE user_name ='{$_SERVER['PHP_AUTH_USER']}' && pass_word = '{$_SERVER['PHP_AUTH_PW']}';");
change to

Code: Select all

$d->query("SELECT * FROM sales_people WHERE user_name ='{$_SERVER['PHP_AUTH_USER']}' && pass_word = MD5('{$_SERVER['PHP_AUTH_PW']}');");
This will work assuming that when you created the user record, you did something like:
[text]INSERT INTO sales_people (`user_name`,`pass_word`) VALUES ('username', MD5('password'));[/text]

Also, not sure what the code is for executing the query, but make sure it escapes quotes or that you do it in your code (see http://www.php.net/mysql-real-escape-string) to make sure someone doesn't feed your script a username of test'; drop table sales_people; (hint, the ; ends one statement, so the next one after it can run....)

-Greg