15.4.4 Dynamic authenticationThis is NOT the latest copy of this book; click here for the latest version.
A far better method to authenticate users is to compare their credentials to a members database table. By storing all your data in a database, you can easily add, edit, and revoke access permissions using PHP pages and a little SQL.
Execute this query at your MySQL prompt to create the table necessary to store our authentication details:
CREATE TABLE userauth (ID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, Username VARCHAR(30), Password VARCHAR(30));
Even if you skipped the chapter on databases, you should be able to make out that the above command will create a table named "userauth" which contains three data fields in each row - an ID integer, a variable length character field "Username", and a variable length character field "Password" - just enough information to authenticate users. The ID is there to identify rows uniquely; we can refer to an authenticated user as a number, rather than as a user and password.
To allow users to add themselves to the authentication list, create a new file, addauth.php, and enter the following code:
<html>
<body>
<?php
if (isset($_POST['username'])) {
mysql_connect("localhost", "phpuser", "alm65z");
mysql_select_db("phpdb");
mysql_query("INSERT INTO userauth (Username, Password) VALUES ({$_POST['username']}, {$_POST['password']});");
print "Welcome to the system, {$_POST['username']}!";
} else {
?>
<form method="post" action="addauth.php">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value=" Add User ">
</form>
<?php } ?>
</body>
</html>
Note that I am using the database "phpdb". You may need to create this - use "create database phpdb;" from the MySQL command prompt.
With a call to mysql_query() near the top of the script, the new username and password is inserted into our table and a short confirmation message is sent back to the client.
Try running the script just by itself - you can monitor changes to your userauth database table from the MySQL command line by using the MySQL command
SELECT * FROM userauth;
Now that users can be dynamically added using addauth.php, let's modify our original auth.php script to check input against what we have in our database.
// amend the following line
if (($_SERVER['PHP_AUTH_USER'] == 'paul') && ($_SERVER['PHP_AUTH_PW'] == 'hudson')) {
// to this...
mysql_connect("localhost", "phpuser", "alm65z");
mysql_select_db("phpdb");
$result = mysql_query("SELECT ID FROM userauth WHERE Username = '{$_SERVER['PHP_AUTH_USER']}' AND Password = '{$_SERVER['PHP_AUTH_PW']}';");
if (mysql_num_rows($result)) {
Rather than comparing the username and password to prewritten values, we now check whether they are found in our userauth table. If mysql_num_rows($result) returns one or more rows, it means we have at least one member with the credentials provided, so we should allow them access.
|
Want to see this stuff in print? PHP in a Nutshell takes the core topics covered here, adds in thousands of edits from the editorial team and myself, and combines them to make an unbeatable reference for PHP programmers at all levels.
My latest book has hundreds more tips on how to use PHP, Apache, and MySQL, plus Perl, Python, shell scripts, performance tuning, and more!
|
