authorize.php -- Sample http authorization script
This uses a mySQL data base. We have another example using hard coded passwords which is simpler to experiment with.
Include this where you want to 'secure' a page. This is good for, say an intranet, or in a safe environment.
http authentication broadcasts user/password on every request so it is like waving a flag asking to be captured by the wrong people
Won't work on Microsoft IIS because of IIS limitations see php manual
You should be using session authentication anyway! Sample to come soon
<?php
// --------------------------------------------------
// Authenticate - basic http authentication using mySQL
// userNames are case-insensitive
// passwords are stored as cleartext
// this script will cause the browser to pop up
// the network login window asking for user name and
// password. This happens when two headers are sent:
// header('WWW-authenticate: basic realm="Secure Area"');
// header("HTTP/1.0 401 Unauthorized");
// The realm name can be anything you like. Changing
// a realm name causes a new authorization request.
// --------------------------------------------------
//
// Register Globals = off
// --------------------------
//
// Need to define the following vars before including
// this script:
// $mysql_user -- mysql user name
// $mysql_password -- mysql password
// $mysql_db_name -- mysql database name
// $mysql_hostname -- mysql host
// $authRealm -- realm to authorize for, change this to re-auth or to log out
// YOU WILL NEED TO CHANGE THE TABLE NAME, USER AND PASSWORD FIELD
// NAMES TO MATCH YOUR NEEDS
//
// usage:
// <?php
// $mysql_user ="me";
// $mysql_password="my_secret";
// $mysql_db_name="my_database";
// $myqsl_host_name="my_mysql_server";
// $authRealm = "My Realm Requires Login";
// require "authorize.php";
// echo "You are logged in if you see this";
// ?>
$PHP_AUTH_USER = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
$PHP_AUTH_PW = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
// -----------------------------------------------------------
// if 1 of the auth variables aren't set then either this is the
// first request or the user simply pressed ok without supplying
// input so send the authenticate and status headers and exit
// -----------------------------------------------------------
if (empty($PHP_AUTH_USER) || empty($PHP_AUTH_PW)) {
Header("WWW-authenticate: basic realm=\"$authRealm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "You failed to provide a valid user-id or password\n";
exit;
} else {
// ------------------------------------------------------
// otherwise connect to db, and try to get user record.
// User name is lower case so case isn't significant.
// ------------------------------------------------------
$db = mysql_connect($mysql_host_name,$mysql_user,$mysql_password) or die(mysql_error());
mysql_select_db($mysql_db_name,$db);
$user_id = strtolower(addslashes($PHP_AUTH_USER));
$sql = "SELECT userPassword from users";
$sql .= " WHERE userName = '$user_id'";
$result = mysql_query($sql,$db) or die(log_mysql_error());
$count = mysql_num_rows($result);
if ($count != 0) {
$row = mysql_fetch_array($result);
}
// ---------------------------------------------------
// if password doesn't match or we didn't find the row
// send the auth and status headers again
// ---------------------------------------------------
if (($PHP_AUTH_PW != $row["userPassword"]) || ($count == 0)) {
Header("WWW-authenticate: basic realm=\"$authRealm\"");
Header("HTTP/1.0 401 Unauthorized");
echo "You failed to provide a valid user-id or password\n";
exit;
}
}
?>
