Intro to Databases
Class 8
Authentication and Security
Note: What we discuss in class today covers moderate to low
security. Before you involve yourself in a project that requires high
security – credit card info, social security numbers etc - take a class
on database security.
It’s becoming more common for sites to keep records of the transactions
while offloading payment etc to sites like Paypal , which handle the
secure side of the transaction.
This approach minimizes risk and cost.
That said, what we’re covering today will let you control user access.
Intro to Databases
Class 8
Authentication and Security
HTTP authentication
Using PHP scripts to manage user authentication and authorization
Using PHP scripts to authenticate users against a database
Building session based web database applications to authenticate
users
SSL – Secure Sockets Layer
Intro to Databases
Class 8
HTTP authentication
HTTP authentication allows you to password protect a directory
There are 3 steps
1- Create a access file, which describes which users can access a
site.
2- Create a password file, which lists users names and passwords
allowed.
3- upload files
Intro to Databases
Class 8
HTTP authentication
1- Create an access file, which describes which users can access a site.
Open the text editor and save a new file called “.htaccess ”
---Basic Format
AuthUserFile /full_path/.htpasswd
AuthGroupFile /dev/null
AuthName “Page Name"
AuthType basic
require user UserName
full_path is the location of the .htpasswd file. This should
be outside your normal directories.
UserName is the name of users allowed to access the
pages. Use valid-user if more than one person can access
the directory. Use a specific username, in this case Test, if
more only one person can access the directory.
There is no group file, so we specify /dev/null (the standard
Unix way to say "this file doesn't exist").
---Example
AuthUserFile
/home/denning/www/ezcontents1_4x/contentdocument/intro_to_db/cl_8/http_pass/.htpassw
AuthGroupFile /dev/null
AuthName "Super Secret Page"
AuthType basic
require user valid-user
Intro to Databases
Class 8
HTTP authentication
2- Create a password file, which lists users names and passwords
allowed.
Open the text editor and save a new file called “.htpasswd ”
Decide on user name and password
name: Test
password: Class
Generate the password, using a tool that encrypts the password
(see link form syllabus to http://www.euronet.nl/~arnow/htpasswd/ )
---Basic Format
UserName:Password
It's crucial that you press enter after each line
(the last line should be an empty one, not a line
with a password entry in it) and that you upload
the file as 'text' or 'ascii'.
---Example
Test:180TuOLtbRWCU
Also, keep in mind that these lines are casesensitive; you should enter a capital as a capital
and a lower-case character as a lower-case
character.
Intro to Databases
Class 8
HTTP authentication
3- upload files
.htpasswd
should go to a secure location on your website
.htaccess
should go in the directory you want to protect
NOTE:
the “full path” in .htaccess needs to match the location of .htpasswd
Intro to Databases
HTTP authentication
Multiple users
1- modify .htpasswd
user1 :NgFQ1vnnW/tJk
user2 :mWaquohh.OY3w
user3 :EMt8amgnyuYD2
Using groups
1- create a file called “.htgroup” (similar to .htpasswd)
my-users: user1 user2 user3
modify the .htaccess file in the directory to look like this:
AuthUserFile /home/john/.htpasswd
AuthGroupFile /home/john/.htgroup
AuthName “Johns page”
AuthType Basic
require group my-users
Class 8
Intro to Databases
Class 8
Using PHP scripts to manage user authentication and authorization
PHP can access the name and password variables submitted
through HTTP authentication
<?
print("
<html>
<head>
<title></title>
</head>
<body>");
print(“Hi this is the index<br>");
print("You are: $PHP_AUTH_USER <br>");
print("using password: $PHP_AUTH_PW <br>");
print("</body>
</html>");
?>
Intro to Databases
Class 8
Using PHP scripts to authenticate users against a database
1- Creating the table
User name must be unique
Intro to Databases
Using PHP scripts to authenticate users against a database
1- Make “password” a key
2- Result
Class 8
Intro to Databases
Class 8
Protecting password in the database
1- Built in PHP functions
crypt
(PHP 3, PHP 4 )
crypt -- One-way string encryption (hashing)
Description
string crypt ( string str [, string salt])
crypt() will return an encrypted string using the standard Unix DES-based
encryption algorithm or alternative algorithms that may be available on
the system. Arguments are a string to be encrypted and an optional salt
string to base the encryption on. See the Unix man page for your crypt
function for more information.
If the salt argument is not provided, one will be randomly generated by
PHP.
Intro to Databases
Protecting password in the database
1- Logical Flow
Testing if the user is logged in
<?
if(!isset($u_username)||!isset($u_username)){
header("location: login.php");
exit();
}else{
print("<html><head><title></title></head><body>");
print("main page of site - authenticated user only");
print("</body></html>");
}
?>
Class 8
Intro to Databases
Protecting password in the database
1- Logical Flow
Testing if the user is logged in
<?
include "../../../../../../itb_cl8_info.php";
include "login_functions.php";
print("<html><head><title></title></head><body>");
if($action=="register"){
register_new_user($u_username, $u_password);
//say hello
print ("Welcome to the site");
}elseif($action=="new_user"){
register_form();
}elseif($action=="login"){
$valid_user=login_user($u_username, $u_password);
if(!$valid_user){
// show login with error
$error="Sorry, that user name and password aren't found";
login_form($error);
}else{
//say hello
print ("Hi - we're glad you came back");
}
}else{
$error="";
login_form($error);
}
print("</body></html>");
?>
Class 8
Intro to Databases
Class 8
Protecting password in the database
1- Creating a new user
function register_form(){
print("
<form method=\"POST\" action=\"\">
<b>Please register</b><br>
Name:<input type=\"text\" name=\"u_username\" value=\"\"><br>
Password: <input type=\"text\" name=\"u_password\" value=\"\"><br>
<input type=\"hidden\" name=\"action\" value=\"register\">
<input type=\"submit\">
</form>");
}
Intro to Databases
Class 8
Protecting password in the database
1- Creating a new user 2
function register_new_user($u_username, $u_password){
GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable;
// CRYPT OUR PASSWORD
$salt=substr($u_username, 0, 2);
$crypted_password=crypt($u_password, $salt);
/// INSERT RECORD
// open connection to host
$link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword)
OR die("error 1 - DB connection failed");
// connect to specific database
mysql_select_db($dbName)OR die("error 2 - failure to connect to DB");
// formulate our question
$query="INSERT INTO $usersTable (user_name, password) values
('$u_username', '$crypted_password')";
// ask the question
$result =mysql_query($query)OR die("error 3 - query failed");
}
Intro to Databases
Protecting password in the database
1- Authenticating an Existing User
function login_form($error){
print("
<form method=\"POST\" action=\"\">
<b>Please Login</b><br>
<i>$error</i><br>
Name:<input type=\"text\" name=\"u_username\" value=\"\"><br>
Password: <input type=\"text\" name=\"u_password\" value=\"\"><br>
<input type=\"hidden\" name=\"action\" value=\"login\">
<input type=\"submit\">
</form>
<br>
<a href=\"login.php?action=new_user\">New Users </a>register here
");
}
Class 8
Intro to Databases
Class 8
Protecting password in the database
1- Authenticating an Existing User 2
function login_user($u_username, $u_password){
GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable;
// make sure username and password are filled in
if(!isset($u_username)||!isset($u_username)){
return false;
}
// recreate the encrypted password stored on the database
$salt=substr($u_username, 0, 2);
$crypted_password=crypt($u_password, $salt);
// see if we can find the user in the database
// open connection to host
$link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword)
OR die("error 1 - DB connection failed");
// connect to specific database
mysql_select_db($dbName)OR die("error 2 - failure to connect to DB");
// formulate our question
$query="SELECT password FROM $usersTable WHERE user_name='$u_username' AND
password='$crypted_password'";
// ask the question
$result =mysql_query($query)OR die("error 3 - query failed");
// if there's exactly one row we've found the user
if(mysql_num_rows($result) !=1){
return false;
}else{
return true;
}
}