|
Authenticate and Track Users with PHP
Page 4
Authenticate Against a Database
The final example shows how to match usernames and passwords to a list residing in a database table. This example uses PHP's MySQL connection functions, but feel free to substitute any of the built-in database connectivity functions in order to make this work in your own environment.
Suppose that your table is called Users and looks something like this:
+-------------+----------+----------+
| real_name | username | password |
+-------------+----------+----------+
| Joe Smith | joe | ai890d |
+-------------+----------+----------+
| Jane Smith | jane | 29hj0jk |
+-------------+----------+----------+
| Mary Smith | mary | fsSS92 |
+-------------+----------+----------+
| Bob Smith | bob | 2NNg8ed |
+-------------+----------+----------+
| Dilbert | dilbert | a76zFs |
+-------------+----------+----------+
To find a match between a username and a password, your SQL statement could be:
|
SELECT *
FROM users
WHERE username='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'
In English, that reads, "Return a result when the value entered in $PHP_AUTH_USER and the value entered in $PHP_AUTH_PW match the username and password fields in my Users table."
So you're looking to get some sort of result value from your SQL statement. Counting the number of matched rows will do the trick, since the number will be either zero (no matches) or one (someone in your Users table has that username/password combination):
|
// connect to MySQL
mysql_connect("hostname", "username", "password")
or die ("Unable to connect to database.");
// select database on MySQL server
mysql_select_db("dev_i2ii_com")
or die ("Unable to select database.");
// Formulate the query
$sql = "SELECT *
FROM users
WHERE username='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'";
// Execute the query and put results in $result
$result = mysql_query($sql);
// Get number of rows in $result. 0 if invalid, 1 if valid.
$num = mysql_numrows($result);
Now, put the connection sequence in the context of your authentication script. If you want to test this script and you authenticated yourself with the script on the previous page, you may need to close down and re-launch your browser.
|
<?php
// File Name: auth04.php
// Check to see if $PHP_AUTH_USER already contains info
if (!isset($PHP_AUTH_USER)) {
// If empty, send header causing dialog box to appear
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
exit;
} else if (isset($PHP_AUTH_USER)) {
// If non-empty, check the database for matches
// connect to MySQL
mysql_connect("hostname", "username", "password")
or die ("Unable to connect to database.");
// select database on MySQL server
mysql_select_db("dev_i2ii_com")
or die ("Unable to select database.");
// Formulate the query
$sql = "SELECT *
FROM users
WHERE username='$PHP_AUTH_USER' and password='$PHP_AUTH_PW'";
// Execute the query and put results in $result
$result = mysql_query($sql);
// Get number of rows in $result. 0 if invalid, 1 if valid.
$num = mysql_numrows($result);
if ($num != "0") {
echo "<P>You're authorized!</p>";
exit;
} else {
header('WWW-Authenticate: Basic realm="My Private Stuff"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
}
?>
You've learned at least one way of limiting access to specific users that will work in your development environment. In the next section, we'll take a look at cookies. Now that you've got authorized users in your system, you're going to track who they are and what they're doing.
next page»
|
|