Authentication is required by any online admin system. In this article, Havard introduces us to two types of PHP/MySQL authentication: dialogs and forms.
PHP, MySQL and Authentication 101 - HTTP Authentication (contd.) (Page 3 of 5 )
Let's take a closer look at the different parts of this example.
function displayLogin() { header("WWW-Authenticate: Basic realm=\"My Website\""); header("HTTP/1.0 401 Unauthorized"); echo "<h2>Authentication Failure</h2>"; echo "The username and password provided did not work. Please reload this page and try again."; exit; }
This function is called when either $PHP_AUTH_USER or $PHP_AUTH_PW isn't set, and when the MySQL query didn't return anything. The first header calls the browser's authentication window, while the second header tells the browser what type of error has occurred. Everything between the last header and "exit;" will be displayed to the user in case the authentication failed, or cancel was pressed in the authentication window.
The realm name must remain the same on all of your pages. If it doesn't, the browser will require authentication for all unvisited realms.
if (!isset($PHP_AUTH_USER) || !isset($PHP_AUTH_PW)) { // If username or password hasn't been set, display the login request. displayLogin(); } else { // Escape both the password and username string to prevent users from inserting bogus data. $PHP_AUTH_USER = addslashes($PHP_AUTH_USER); $PHP_AUTH_PW = md5($PHP_AUTH_PW);
// Check username and password agains the database. $result = mysql_query("SELECT count(id) FROM users WHERE password='$PHP_AUTH_PW' AND username='$PHP_AUTH_USER'") or die("Couldn't query the user-database."); $num = mysql_result($result, 0);
if (!$num) { // If there were no matching users, show the login displayLogin(); } }
In this code we check if $PHP_AUTH_USER or $PHP_AUTH_PW hasn't been set. If they haven't been set, then we call the displayLogin() function. If both the username and password have been set, we authenticate them against our database. By the way, we're now using the bult-in md5 function in PHP to create a md5 checksum, instead of using the MySQL function.
If the user wasn't found in the database, we call the displayLogin() function.
We use the addslashes() function to escape the variables that are used in the MySQL query. By doing this, we prevent the user from entering bogus data, which in the worst case could cause havoc on your database.
All code below the if construct will only be displayed to authenticated users.
Place the code above in a .php file, and include it in every page you want authentication on. This way you only have to edit one file in case you need to make some changes to the authentication code.
What about logging out? If you'd like to make a logout function, you can use some PHP code like this:
if ($_REQUEST['logout'] == true) { // To logout a user, you can just use the displayLogin() function and resend the authentication headers. displayLogin(); }
By calling the displayLogin() function when the user is already logged in, we cause the browser to display the authentication window, and clear any previous successful authentication. This works on most browsers. To log out with the code above you can add ?logout=true to the URL.
The only problem I can see with this type of authentication is that it's not available in the CGI version of PHP. Although most servers run PHP as a module, some don't, and that would mean trouble for your authentication script. Continue reading to learn another approach.