8 Tips for PHP Scripting (5)_PHP Tutorial

User authentication using PHP

If you wish to implement password protection on a per-script basis, you can use the header() function in conjunction with the $PHP_AUTH_USER and $PHP_AUTH_PW global variables to create a basic authentication scheme. A typical server-based authentication request/response round looks a lot like this:

1. The user requests a file from a Web server. If the file is within a protected area, the server responds by adding a 401 (illegal user) string to the response file header.

2. After the browser sees the response, the username/password dialog box pops up.

3. The user enters the user name and password in the dialog box, and then clicks the "Confirm" button to send this information back to the server.

4. If the username and password are valid, the protected file will be displayed to the user, and as long as the currently verified user is within the protected area. The above authentication processes are all valid.

A simple PHP script can emulate the HTTP authentication request/response system by sending the appropriate HTTP headers to cause the username/password dialog to automatically appear on the client's screen. PHP stores user input dialog information in the $PHP_AUTH_USER and $PHP_AUTH_PW variables. Using these variables, you can store the list of non-compliant username/password checks in a text file, database, or anywhere you specify

Note: The three global variables $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE are only valid when PHP is installed as a module. If you are using the CGI version of PHP, then you are limited to using .htaccess-based authentication or database-based authentication, so you must design an HTML form to let the user enter a username and password, and then let PHP do the validation examine.

The example below shows a check for two settings, but in theory it is not essentially different from the above username and password check.

/* Check for values ​​in $PHP_AUTH_USER and $PHP_AUTH_PW */

if ((!isset($PHP_AUTH_USER)) || (!isset($PHP_AUTH_PW))) {

/* No values: send headers causing dialog box to appear */
header(WWW-Authenticate: Basic realm="My Private Stuff");
header(HTTP/1.0 401 Unauthorized);
echo Authorization Required.;
exit;

} else if ((isset($PHP_AUTH_USER)) && (isset($PHP_AUTH_PW))){

/* Values ​​contain some values, so check to see if theyre correct */

if (($PHP_AUTH_USER != "validname") || ($PHP_AUTH_PW != "goodpassword")) {
/* If either the username entered is incorrect, or the password entered is incorrect, send the headers causing dialog box to appear */
header(WWW-Authenticate: Basic realm="My Private Stuff");
header(HTTP/1.0 401 Unauthorized);
echo Authorization Required.;
exit ;
} else if (($PHP_AUTH_USER == "validname") || ($PHP_AUTH_PW == "goodpassword")) {
/* if both values ​​are correct, print success message */
echo "

Youre authorized!

";
}
}
?>

Remember that when you are using file-based protection, this approach is not a security blanket that will definitely protect the directory. This will be obvious to most of you, but if your brain makes a connection between the pop-up dialog box and protecting a given directory, you have to work hard to recognize this process.

http://www.bkjia.com/PHPjc/532524.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/532524.htmlTechArticleUser authentication using PHP If you want to implement password protection on a per-script basis, then you can combine Use the header() function and $PHP_AUTH_USER, $PHP_AUTH_PW global variables...