Page 1 of 1

HTTP authentication with PHP

Posted: Tue Jul 03, 2007 3:12 pm
by nfw24
Hi everyone,
I'm writing code for HTTP authentication with PHP. I tried to get the username from the popup with the following code:

$user_name = trim($_SERVER[‘PHP_AUTH_USER’]);

$user_password = trim($_SERVER[‘PHP_AUTH_PW’]);


but when i added

echo $user_name;

, nothing came out.
Is there something wrong with my code?
THANKS!

Posted: Tue Jul 03, 2007 3:27 pm
by volka
Is php installed as apache module?
what does

Code: Select all

<?php
echo 'version: ', phpversion(), "<br />\n";
echo 'sapi: ', php_sapi_name(), "<br />\n";
print?

Posted: Tue Jul 03, 2007 3:42 pm
by nfw24
It prints:

version: 5.2.3
sapi: apache2handler

Posted: Tue Jul 03, 2007 3:48 pm
by Gente
Can you post more code?
Have you checked this example?

Posted: Tue Jul 03, 2007 4:02 pm
by nfw24
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


[color=darkred]Here is all my code: [/color]

Code: Select all

<?php
function authenticate() {
    header('WWW-Authenticate: Basic realm="Test Authentication System"');
    header('HTTP/1.0 401 Unauthorized');
    echo "You must enter a valid login ID and password to access this resource\n";
    exit;
}

if (!isset($_SERVER['PHP_AUTH_USER']) ||
    ($_POST['SeenBefore'] == 1 && $_POST['OldAuth'] == $_SERVER['PHP_AUTH_USER']))  {
    authenticate();
} 

else #18
{
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = '';
$database = 'useraccount';

$user_name = ($_SERVER[‘PHP_AUTH_USER’]); #21
$user_password = trim($_SERVER[‘PHP_AUTH_PW’]);
$connection = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

$db = mysql_select_db($database,$connection)or die ('Couldn’t select database.');

$sql = "SELECT user_name FROM valid_user WHERE user_name = ‘$user_name’ AND password = md5(‘$user_password’)";
echo $user_name;
$result = mysql_query($sql) or die('Couldn’t execute query.'); #31

$num = mysql_num_rows($result); #32
if ($num < 1) // user name/password not found #33
{
exit('The User Name or password you entered
is not valid.<br>');
} #37
} #38
// Web page content. #39
include(“Welcome.inc”); #40
?>
Right now, it gets up to line #31, then outputs "'Couldn’t execute query". I'm guessing it has something to do with the fact that it executes nothing even with the command echo $user_name;


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Tue Jul 03, 2007 5:00 pm
by volka
$_SERVER[‘PHP_AUTH_USER’]
should be

Code: Select all

$_SERVER['PHP_AUTH_USER']
user_name = ‘$user_name’ AND password = md5(‘$user_password’)
should be

Code: Select all

user_name = '$user_name' AND password = md5('$user_password')

please try

Code: Select all

$database = 'useraccount';

$connection = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
$db = mysql_select_db($database,$connection)or die ('Couldn’t select database.');

$user_name = mysql_real_escape_string($_SERVER['PHP_AUTH_USER'], $connection); #21
$user_password = md5(trim($_SERVER['PHP_AUTH_PW']));

$sql = "SELECT user_name FROM valid_user WHERE user_name='$user_name' AND `password`='$user_password'";
echo '<div>Debug: ', htmlentities($sql), "</div>\n";
$result = mysql_query($sql) or die(mysql_error()); #31

Posted: Tue Jul 03, 2007 5:58 pm
by nfw24
it does indeed now work! thanks :D

Posted: Tue Jul 03, 2007 7:01 pm
by volka
Please also note that mysql_real_escape_string has been applied to PHP_AUTH_USER to avoid problems with characters that cause trouble in an sql statement. see http://de3.php.net/security.database.sql-injection