IT420: Database Management
and Organization
Authentication
22 March 2006
Adina Crainiceanu
www.cs.usna.edu/~adina
Goals Today
 Passwords
 Session control
Web Database Architecture
DBMS
Client browser
HTTP
API
Web server with PHP
enabled
Check the User Input
 bool isset (variableName)
 True if variableName is an existing variable with not
null value
 bool empty (variableName)
 True if variableName is undefined, empty array,
empty string, FALSE, or 0
 Example:
 if (!isset($_POST[‘searchterm’]) ||
empty($_POST[‘searchterm’]))
echo ‘No search keyword entered. Try again!’;
String Manipulation Functions
 string strip_tags(string stringVar [,string
allowableTags])
 Strips HTML and PHP tags from stringVar
 Example:
 $inputStr = ‘<script> alert(“hi”); </script>’;
 Should not store this in the db!
 echo strip_tags($inputStr); //result: alert(“hi”);
Escaping Special Characters
 Special characters for db:
 Single quote ‘
 Double quotes “
Example:
 insert into mytable(rowID, comment) values(1,’some comment’);
 Want: rowID = 1, comment = I’m here
 insert into mytable(rowID, comment) values(1,’I’m here’);?
 string addslashes (string someString)
 Add slash before special characters
 string stripslashes (string someString)
 Remove slashes
 Example:
 echo addslashes(“Let’s see”); //result: Let\’s see
Authentication
 Want: Allow access to a web page only to
some users
 Solution: Ask for user authentication
 log in
Step 1: Ask Login Information
Step 2-a: If Incorrect Information,
Display Error Message
Step 2-b If Correct Information,
Display Secret Page
Class Exercise
 Write a PHP script:
 If no login info given, ask for login information
 If username = ‘user’ and password = ‘pass’,
 display protected content
 Else, display error message
pass_protect.php
Problems with the code




One user-name and password hard-coded
Password stored as plain text
Protection for only one page
Password transmitted as plain text
Storing Users and Passwords
 In a file on the server
 In a database
 Users(Username, Password)
 How do we test that user information matches the
information in the database?
 SELECT count(*)
FROM Users
WHERE Username = $name AND
Password = $password
Encrypting Passwords
 DO NOT store passwords as plain text!
 Use one-way hash functions
 string sha1(string str)
 Example: sha1(‘pass’) ==
‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 ’
 Deterministic output!
 Given same string, sha1 returns the same result
every time
Example Using Encrypted Password
 Instead of
if ($name == ‘user’ && $pass == ‘password’){
//OK, passwords match
}
 Use
if ($name == ‘user’ && sha1($pass) ==
‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684’ ){
//OK, passwords match
}
Problems with the code




One user-name and password hard-coded
Password stored as plain text
Protection for only one page
Password transmitted as plain text
Session Control
 HTTP – no built-in way to maintain state
between two transactions
 Want: Track a user during a single session
on a website
 Show content personalized to user
 Solution 1: protect each single page by
asking for user authentication
 Problems?
Solution 2: Use PHP Session
Control
 Session ID – cryptographically random number
 Generated for each session
 Stored on client side
 Cookie
 URL
 Session variables
 Created by PHP script
 Stored on the server side
 If session id visible (cookie or URL), session variables
can be accessed by all scripts
Implementing Sessions





Start a session
Register session variables
Use session variables
Deregister variables
Destroy session
Start a session
 session_start()
 Creates a session, if none exists
 Call it at the start of all scripts that use
sessions
Register Session Variables
 $_SESSION – superglobal array to store
all session variables
 Example:
 <?php session_start();
$_SESSION[‘valid_user’] = ‘adina’; ?>
 Session variable $_SESSION[‘valid_user’]
tracked until the session ends, or it is
manually unset
Use Session Variables
 session_start()
 Creates a session, if none exists
 Brings session variables into scope,
otherwise
 Example:
 <?php session_start();
if isset($_SESSION[‘valid_user’])
echo “User $_SESSION[‘valid_user’] logged in “;
?>
Unset Session Variables
 unset($_SESSION[‘valid_user’])
 “Deletes” the session variable
Destroy Session
 session_destroy()
 Clean up the session ID
Lab Exercise
 Write PHP to implement db authentication