Subscribe to Linux Format magazine - the number 1 source for Linux tutorials, reviews and news!

Dynamic authentication

A far better method to authenticate users is to compare their credentials to a members database table. By storing all your data in a database, you can easily add, edit, and revoke access permissions using PHP pages and a little SQL.

Execute this query at your MySQL prompt to create the table necessary to store our authentication details:

CREATE TABLE userauth (ID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, Username VARCHAR(30), Password VARCHAR(30));

Even if you skipped the chapter on databases, you should be able to make out that the above command will create a table named "userauth" which contains three data fields in each row - an ID integer, a variable length character field "Username", and a variable length character field "Password" - just enough information to authenticate users. The ID is there to identify rows uniquely; we can refer to an authenticated user as a number, rather than as a user and password.

To allow users to add themselves to the authentication list, create a new file, addauth.php, and enter the following code:

<html>
<body>
<?php
    if (isset($_POST['username'])) {
        mysql_connect("localhost", "phpuser", "alm65z");
        mysql_select_db("phpdb");
        mysql_query("INSERT INTO userauth (Username, Password) VALUES ({$_POST['username']}, {$_POST['password']});");
        print "Welcome to the system, {$_POST['username']}!";
    } else {
 ?>

<form method="post" action="addauth.php">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value=" Add User ">
</form>

<?php } ?>

</body>
</html>

Note that I am using the database "phpdb". You may need to create this - use "create database phpdb;" from the MySQL command prompt.

With a call to mysql_query() near the top of the script, the new username and password is inserted into our table and a short confirmation message is sent back to the client.


Try running the script just by itself - you can monitor changes to your userauth database table from the MySQL command line by using the MySQL command

SELECT * FROM userauth;

Now that users can be dynamically added using addauth.php, let's modify our original auth.php script to check input against what we have in our database.

// amend the following line
 if (($_SERVER['PHP_AUTH_USER'] == 'paul') && ($_SERVER['PHP_AUTH_PW'] == 'hudson')) {

 // to this...
 mysql_connect("localhost", "phpuser", "alm65z");
 mysql_select_db("phpdb");
 $result = mysql_query("SELECT ID FROM userauth WHERE Username = '{$_SERVER['PHP_AUTH_USER']}' AND Password = '{$_SERVER['PHP_AUTH_PW']}';");
if (mysql_num_rows($result)) {

Rather than comparing the username and password to prewritten values, we now check whether they are found in our userauth table. If mysql_num_rows($result) returns one or more rows, it means we have at least one member with the credentials provided, so we should allow them access.

 

Next chapter: Sending mail >>

Previous chapter: Authentication over HTTP

Jump to:

 

Home: Table of Contents

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar