PHP, MySQL and Authentication 101 - Authentication 101

(Page 2 of 5 )

We will be making use of a MySQL database to store the usernames and passwords of our authenticated users. Firstly we will have to set up the database and it's respective tables. Run this set of commands through the MySQL console application:

CREATE DATABASE mydatabase;
USE mydatabase;

CREATE TABLE users {
userId SMALLINT(3) UNSIGNED NOT NULL AUTO_INCREMENT,
userName VARCHAR(30) NOT NULL,
userPass VARCHAR(32) NOT NULL,
PRIMARY KEY (userId),
UNIQUE KEY username (username)
}

The code above creates a database containing a table named users. We made the userName column a unique key to prevent having two users with the same username. Let's insert a user into the database, so we have something to authenticate against:

INSERT INTO users (userName, userPass) VALUES ('testUser', MD5('testPass'));

You may want to change the values for the username and password. The MD5() function is a built-in MySQL function, which calculates a 128 bit checksum for the provided string. The returned string is 32 characters long, hence we used VARCHAR(32) for the userPass column. We will be using this table through the whole article.

Now that we've created the database, table and a user, we can continue. 

You should have PHP version 4.1.0 or above. If you have an earlier version you'll have to rewrite some of the code. This is because I'm using super global arrays such as $_SESSION and $_SERVER, which were introduced in PHP version 4.1.0.

HTTP Authentication
If PHP is installed as an Apache module, thene you can use PHP's HTTP Authentication hook to pop up a username/password authentication window in the browser. This is done by sending some special parameters in the header() function. When the user has filled in both the username and password fields, the values can be accessed within a PHP script using the variables $PHP_AUTH_USER and $PHP_AUTH_PW.

Remember that this type of authentication only works when PHP is installed as an apache-module, which means that if you are using the CGI version, you can skim through this part of the article as we'll be discussing authentication through forms on the next page.

Let's take a look at some sample code:

<?PHP

function displayLogin() {
header("WWW-Authenticate: Basic realm=\"My Website\"");
header("HTTP/1.0 401 Unauthorized");
echo "<h2>Authentication Failure</h2>";
echo "The username and password provided did not work. Please reload this page and try again.";
exit;
}

$db = mysql_connect('localhost','dbuser','dbpass') or die("Couldn't connect to the database.");
mysql_select_db('dbname') or die("Couldn't select the database");

if (!isset($PHP_AUTH_USER) || !isset($PHP_AUTH_PW)) {
// If username or password hasn't been set, display the login request.
displayLogin();
} else {
// Escape both the password and username string to prevent users from inserting bogus data.
$PHP_AUTH_USER = addslashes($PHP_AUTH_USER);
$PHP_AUTH_PW = md5($PHP_AUTH_PW);

// Check username and password agains the database.
$result = mysql_query("SELECT count(id) FROM users WHERE password='$PHP_AUTH_PW' AND username='$PHP_AUTH_USER'") or die("Couldn't query the user-database.");
$num = mysql_result($result, 0);

if (!$num) {
// If there were no matching users, show the login
displayLogin();
}
}

// All code/html below will only be displayed to authenticated users.

echo "Congratulations! You're now authenticated.";

?>

The code above produces a dialog authentication window, which looks like this:

Next: HTTP Authentication (contd.) >>
 

More MySQL Articles
More By Havard Lindset

Comments On: PHP, MySQL and Authentication 101

· i used this and it worked but there is one thing i cant do till nowi want to log...   >>> Post your comment now!