Fill .htpasswrd from db ??

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
pookie62
Forum Commoner
Posts: 92
Joined: Tue Dec 07, 2004 2:44 pm

Fill .htpasswrd from db ??

Post by pookie62 »

Hi,

Is it possible instead of writing manually the .htpasswd file, let a php script read the database ?
I allready have a database with users and passwords which I could use for authentication.
If you could give me an example of code, would be great !

Thanks
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I believe there's a mysql module for apache that might be a good approach.

Failing that, have your .htpasswd file writable to the www user (usually "nobody", or "www"), then:

Code: Select all

$query = "select  username, password from table"; //Pull data from DB
$result = mysql_query($query) or die (mysql_error());

$handle = fopen('/path/to/.htpasswd', 'w+'); //Open file for writing

$text = '';

while ($row = mysql_fetch_assoc($result)) //Loop through all data
{
    $text .= $row['username'].':'.$row['password']."\n"; //Use \r\n on windows
}

if (fwrite($handle, $text)) echo "Success"; //Try writing the list to the file
else echo "Failed";

fclose($handle);
pookie62
Forum Commoner
Posts: 92
Joined: Tue Dec 07, 2004 2:44 pm

Post by pookie62 »

Hi d11wtq,

Thanks very much !! :D
I'm going to try this and let you know the results.
Cheers
Hans
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

pookie62 wrote:Hi d11wtq,

Thanks very much !! :D
I'm going to try this and let you know the results.
Cheers
Hans
Good good ;)

Make sure that the passwords are stored in the correct htpasswd format.
Convert them if not.... if they're already md5'ed then you may struggle.
pookie62
Forum Commoner
Posts: 92
Joined: Tue Dec 07, 2004 2:44 pm

Post by pookie62 »

Make sure that the passwords are stored in the correct htpasswd format.
Convert them if not.... if they're already md5'ed then you may struggle
With correct htpassword format you mean like username:password
I take it you probably know a script to md5 the password ?
Can I combine the read/write action with converting the pw's ?

Sorry for all these questions..
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

pookie62 wrote:
Make sure that the passwords are stored in the correct htpasswd format.
Convert them if not.... if they're already md5'ed then you may struggle
With correct htpassword format you mean like username:password
I take it you probably know a script to md5 the password ?
Can I combine the read/write action with converting the pw's ?

Sorry for all these questions..
Well, technically you should *never* store plain text passwords in your databse, but in this case, if you have done that you may be in luck :lol:

Normally you would store the MD5('password') -- using mysql's built in md5() function or php's version. You then take the md5() hash of the password sent from a HTML form and compare that against the md5 hash in the database.... it's just more secure.

There's SHA1 and SHA256 (see snippets) too.

The passwords which .htpasswd uses are not md5 however. They are not plain text neither. htpasswd uses a special format that you'd usually create using a command called htpasswd.

There are scripts out there to convert plain text to htpasswd format though if you have a google around ;)

If you are storing your passwords in the database as plain text I'd suggest hashing them and then using the same hashing algorithm at the login side also ;)
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

$_SERVER['PHP_AUTH_USER']
$_SERVER['PHP_AUTH_PW']

Might be what you want to look into.

You can use this to create an authorisation without .htaccess and .htpasswd directly out of the database.

You might also look into mod_auth_mysql but I think this module is not developed further
Post Reply