Home arrow PHP arrow Page 7 - User Authentication With Apache And PHP

Heavy Iron - PHP

Want to restrict access to certain sections of your Web site?Or customize page content on the basis of user preferences? Or eventrack user movement across your site? Well, the bad news is that you'llneed to learn how to authenticate users on your site. The good news isthat this tutorial has everything you need to get started.

  1. User Authentication With Apache And PHP
  2. Back To Basics
  3. The Right Creds
  4. Hidden Costs
  5. Logging In
  6. Rank And File
  7. Heavy Iron
  8. Sock It To Me, Baby!
  9. Time To Live
  10. A Stitch In Time
  11. Closing Time
By: The Disenchanted Developer, (c) Melonfire
Rating: starstarstarstarstar / 59
March 13, 2002

print this article


In the event that you want to validate user credentials against information in a database, rather than a file, it's fairly easy to modify the script on the previous page to work with this requirement. Let's assume that the user data is stored in a MySQL table, which looks like this:

mysql> select * from user; +----+----------+------------------+ | id | username | password | +----+----------+------------------+ | 1 | john | 2ca0ede551581d29 | | 2 | joe | 7b57f28428847751 | | 3 | tom | 675bd1463e544441 | | 4 | bill | 656d52cb5d0c13cb | +----+----------+------------------+ 4 rows in set (0.16 sec)
This is a simple two-column table, with the unique usernames in one column and an encrypted password in the other. Now, when the user logs in, the information entered into the form needs to be validated against the information in this table.

Here's the modified "login.php" script:

<? // login.php - performs validation // authenticate using form variables $status = authenticate($f_user, $f_pass); // if user/pass combination is correct if ($status == 1) { // initiate a session session_start(); // register some session variables session_register("SESSION"); // including the username session_register("SESSION_UNAME"); $SESSION_UNAME = $f_user; // redirect to protected page header("Location: /inner.sanctum.php"); exit(); } else // user/pass check failed { // redirect to error page header("Location: /error.php?e=$status"); exit(); } // authenticate username/password against a database // returns: 0 if username and password is incorrect // 1 if username and password are correct function authenticate($user, $pass) { // configuration variables // normally these should be sourced from an external file // for example: include("dbconfig.php"); // variables explicitly set here for illustrative purposes $db_host = "localhost"; $db_user = "login_agent"; $db_pass = "secret"; $db_name = "system"; // check login and password // connect and execute query $connection = mysql_connect($db_host, $db_user, $db_pass) or die ("Unable to connect!"); $query = "SELECT id from user WHERE username = '$user' AND password = PASSWORD('$pass')"; mysql_select_db($db_name); $result = mysql_query($query, $connection) or die ("Error in query: $query. " . mysql_error()); // if row exists -> user/pass combination is correct if (mysql_num_rows($result) == 1) { return 1; } // user/pass combination is wrong else { return 0; } } ?>
Most of the changes here are localized to the authenticate() function. In this case, rather than reading a text file, the function uses PHP's MySQL functions to connect to the database, execute a SELECT query, and verify whether or not the information entered by the user was correct. Based on the result code returned by the function, a decision can be taken whether to redirect the user to the protected page or to the error handler.

There's one important thing to note when performing this kind of authentication. From the security point of view, it's not a good idea to include the password field in the result set returned by the query. Rather, you should perform validation by using the password as a key (via the WHERE clause) within the SELECT query. If a match is found for that particular username/password combination, the returned record set will contain a single row; if no match is found, the record set will contain zero rows. Either way, it's possible to identify whether or not validation was successful, and return an appropriate result code, without ever passing any sensitive password information back and forth.

>>> More PHP Articles          >>> More By The Disenchanted Developer, (c) Melonfire

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: