it will probely need abit of work to be used in your set up, for one i use
postgresql not mysql, but hopefully it will be a start
also if you or anybody else can suggest any improvements please say as they
will be a help
p.s. i'm not a security expert so this is probely not very secure
<?php
// I have used * to hide certian detail
// web site script is used on
$site = "*******";
// checks to see if id is pass to script
if (!isset($_GET['id']))
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// checks if id is only made up of numbers
if (!ereg("^[0-9]{1,}$", $_GET['id']))
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
session_start();
// sets id var from what was sent to page
$id = $_GET['id'];
// checks if user has tried to logon before in the same session
if (!session_is_registered("authrealm"))
{
// sets id in a session var
session_register(authrealm);
$authrealm = $_GET['id'];
}
// checks if user is trying to logon to a different company page
if ($authrealm != $_GET['id'])
{
// resets username and password to blank
$PHP_AUTH_USER = '';
unset($PHP_AUTH_USER);
$PHP_AUTH_PW = '';
unset($PHP_AUTH_PW);
$authrealm = $_GET['id'];
}
if (!IsSet($PHP_AUTH_USER))
{
// if username hasn't been set before for this realm, prompts user for
username/password
Header("WWW-Authenticate: Basic realm=\"$id\"");
Header('Status: 401 Unauthorized');
exit;
}
// opens database connection
$connstr = "dbname=**** user=****";
$dbh = pg_connect($connstr);
// sets the SQL statment to recive the user/password for that id
$sql = "SELECT * FROM **** WHERE **** = '$authrealm'";
// executes the SQL statment on the database
$passdb = pg_exec($dbh, $sql);
// if database connection failed send to unauthorised page
if (!$passdb)
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// if there is no entry in the database for this id then redirect to
unauthorised page
if (pg_numrows($passdb) == '0')
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
$data = pg_fetch_row($passdb, 0);
// if there is no entry in the database for this id then redirect to
unauthorised page
if (!$data)
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// sets username into var $login
$login = $data[1];
//sets a key for the md5 hash (replace stars with numbers execpt the first
one)
$key = (($id * ****^*) / ****^*);
// encrypts the password
$hash = md5($id.$PHP_AUTH_PW.$key);
// returns encrypted password from database
$pass = $data[2];
// checks username/password entered against the ones in the database
// if correct continues on, if wrong redirects you to the unauthorised page
if ((!$PHP_AUTH_USER == '$login') || (!$pass == '$hash'))
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
pg_close($dbh);
?>
regards
Mark Cubitt
> -----Original Message-----
> From: Sebastian [mailto:[EMAIL PROTECTED]]
> Sent: 20 February 2003 09:35
> To: [EMAIL PROTECTED]
> Subject: [PHP] AUTH (.htaccess style)
>
>
> Greetings.
>
> I have a member system which each user has a unique ID, username
> and password.
>
> I want to secure some of my scripts with .htaccess style login,
> Basically I would like to fetch the username and password from
> mysql database, the password is encrypt using md5 hash.
>
> I would like to the ability to include the file into any script I
> would like to protect and validate the user based on the
> information that is stored on the mysql database.
>
> Conclusion: Does anyone know of a handy script that I could use?
>
> Thanks in advanced.
>
> Sebastian - [BBR] Gaming Clan
> http://www.BroadBandReports.com
>
>
> ******************************************************************
> ************
> This email has been virus checked by the Eclipse Internet
> MAILsafe service
> ******************************************************************
> ************
> www: http://www.eclipse.net.uk/ email:
> [EMAIL PROTECTED]
> ******************************************************************
> ************
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
