User Authentication With Apache And PHP - Heavy Iron (
Page 7 of 11 )
In the event that you want to validate user credentials
against information in a database, rather than a file, it's fairly easy to
modify the script on the previous page to work with this requirement. Let's
assume that the user data is stored in a MySQL table, which looks like this:
mysql> select * from user;
+----+----------+------------------+
| id | username | password |
+----+----------+------------------+
| 1 | john | 2ca0ede551581d29 |
| 2 | joe | 7b57f28428847751 |
| 3 | tom | 675bd1463e544441 |
| 4 | bill | 656d52cb5d0c13cb |
+----+----------+------------------+
4 rows in set (0.16 sec)
This is a simple two-column table, with the unique usernames
in one column and an encrypted password in the other. Now, when the user logs
in, the information entered into the form needs to be validated against the
information in this table.
Here's the modified "login.php" script:
<?
// login.php - performs validation
// authenticate using form variables
$status = authenticate($f_user, $f_pass);
// if user/pass combination is correct
if ($status == 1)
{
// initiate a session
session_start();
// register some session variables
session_register("SESSION");
// including the username
session_register("SESSION_UNAME");
$SESSION_UNAME = $f_user;
// redirect to protected page
header("Location: /inner.sanctum.php");
exit();
}
else
// user/pass check failed
{
// redirect to error page
header("Location: /error.php?e=$status");
exit();
}
// authenticate username/password against a database
// returns: 0 if username and password is incorrect
// 1 if username and password are correct
function authenticate($user, $pass)
{
// configuration variables
// normally these should be sourced from an external file
// for example: include("dbconfig.php");
// variables explicitly set here for illustrative purposes
$db_host = "localhost";
$db_user = "login_agent";
$db_pass = "secret";
$db_name = "system";
// check login and password
// connect and execute query
$connection = mysql_connect($db_host, $db_user, $db_pass) or die
("Unable to connect!");
$query = "SELECT id from user WHERE username = '$user' AND
password = PASSWORD('$pass')";
mysql_select_db($db_name);
$result = mysql_query($query, $connection) or die ("Error in
query: $query. " . mysql_error());
// if row exists -> user/pass combination is correct
if (mysql_num_rows($result) == 1)
{
return 1;
}
// user/pass combination is wrong
else
{
return 0;
}
}
?>
Most of the changes here are localized to the authenticate()
function. In this case, rather than reading a text file, the function uses PHP's
MySQL functions to connect to the database, execute a SELECT query, and verify
whether or not the information entered by the user was correct. Based on the
result code returned by the function, a decision can be taken whether to
redirect the user to the protected page or to the error handler.
There's
one important thing to note when performing this kind of authentication. From
the security point of view, it's not a good idea to include the password field
in the result set returned by the query. Rather, you should perform validation
by using the password as a key (via the WHERE clause) within the SELECT query.
If a match is found for that particular username/password combination, the
returned record set will contain a single row; if no match is found, the record
set will contain zero rows. Either way, it's possible to identify whether or not
validation was successful, and return an appropriate result code, without ever
passing any sensitive password information back and forth.