This mail doesn't seem to have gone through first time so here it is again,
sorry if the first mail does eventually turn up.
it will probely need abit of work to be used in your set up, for one i use
postgresql not mysql, but hopefully it will be a start
also if you or anybody else can suggest any improvements please say as they
will be a help
p.s. i'm not a security expert so this is probely not very secure
<?php
// I have used * to hide certian detail
// web site script is used on
$site = "*******";
// checks to see if id is pass to script
if (!isset($_GET['id']))
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// checks if id is only made up of numbers
if (!ereg("^[0-9]{1,}$", $_GET['id']))
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
session_start();
// sets id var from what was sent to page
$id = $_GET['id'];
// checks if user has tried to logon before in the same session
if (!session_is_registered("authrealm"))
{
// sets id in a session var
session_register(authrealm);
$authrealm = $_GET['id'];
}
// checks if user is trying to logon to a different company page
if ($authrealm != $_GET['id'])
{
// resets username and password to blank
$PHP_AUTH_USER = '';
unset($PHP_AUTH_USER);
$PHP_AUTH_PW = '';
unset($PHP_AUTH_PW);
$authrealm = $_GET['id'];
}
if (!IsSet($PHP_AUTH_USER))
{
// if username hasn't been set before for this realm, prompts user for
username/password
Header("WWW-Authenticate: Basic realm=\"$id\"");
Header('Status: 401 Unauthorized');
exit;
}
// opens database connection
$connstr = "dbname=**** user=****";
$dbh = pg_connect($connstr);
// sets the SQL statment to recive the user/password for that id
$sql = "SELECT * FROM **** WHERE **** = '$authrealm'";
// executes the SQL statment on the database
$passdb = pg_exec($dbh, $sql);
// if database connection failed send to unauthorised page
if (!$passdb)
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// if there is no entry in the database for this id then redirect to
unauthorised page
if (pg_numrows($passdb) == '0')
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
$data = pg_fetch_row($passdb, 0);
// if there is no entry in the database for this id then redirect to
unauthorised page
if (!$data)
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
// sets username into var $login
$login = $data[1];
//sets a key for the md5 hash (replace stars with numbers execpt the first
one)
$key = (($id * ****^*) / ****^*);
// encrypts the password
$hash = md5($id.$PHP_AUTH_PW.$key);
// returns encrypted password from database
$pass = $data[2];
// checks username/password entered against the ones in the database
// if correct continues on, if wrong redirects you to the unauthorised page
if ((!$PHP_AUTH_USER == '$login') || (!$pass == '$hash'))
{
Header("Content-type: text/html");
Header("Status: 302 Moved");
Header("Location: $site/unauthorised.htm");
exit;
}
pg_close($dbh);
?>
regards
Mark Cubitt
> -----Original Message-----
> From: Sebastian [mailto:[EMAIL PROTECTED]]
> Sent: 20 February 2003 09:35
> To: [EMAIL PROTECTED]
> Subject: [PHP] AUTH (.htaccess style)
>
>
> Greetings.
>
> I have a member system which each user has a unique ID, username
> and password.
>
> I want to secure some of my scripts with .htaccess style login,
> Basically I would like to fetch the username and password from
> mysql database, the password is encrypt using md5 hash.
>
> I would like to the ability to include the file into any script I
> would like to protect and validate the user based on the
> information that is stored on the mysql database.
>
> Conclusion: Does anyone know of a handy script that I could use?
>
> Thanks in advanced.
>
> Sebastian - [BBR] Gaming Clan
> http://www.BroadBandReports.com
>
>
> ******************************************************************
> ************
> This email has been virus checked by the Eclipse Internet
> MAILsafe service
> ******************************************************************
> ************
> www: http://www.eclipse.net.uk/ email:
> [EMAIL PROTECTED]
> ******************************************************************
> ************
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
