PHP+APACHE method to implement user argument_PHP tutorial

WBOY
Release: 2016-07-21 16:02:17
Original
913 people have browsed it

On professional Web sites, the user's account and password are often required, which is an identity confirmation action. The early NCSA httpd server did not provide this user authentication function, and Webmaster could only manually create an identity authentication CGI program.
Most of the web servers since CERN httpd provide user identity verification function. Although the settings of each web server are different, the settings are similar.

The following are the user authentication settings on the Apache server.



AuthType Basic
AuthName MyMember
AuthUserFile /usr/local/MyMember.txt Limit GET POST>
require valid-user



In this example, when the user is viewing all the files in the MyMember directory, When including image files and other types of files, the user's account and password confirmation are required. The user's account and password files exist in /usr/local/MyMember.txt.

The account password file /usr/local/MyMember.txt may look like the following example. The string before the colon is the user account, and the string after the colon is the password that has been irreducibly encrypted. The encoding generally uses traditional DES encoding. The first two characters of the password are characters similar to seeds (salt). In this case it's all 3P. Each row represents a user. Of course, the Webmaster must control the situation of duplicate accounts by itself. What is special is the situation when Apache is launched on a Win32 system. The password after the colon cannot be encrypted because Win32 does not provide this encoding
API, so the user password exists in clear code.


john1234:3PWudBlJMiwro
queenwan:3PFNVLNPN9W0M snI6.84E
sun_moon:3PvymMeNOc.x.
nobody38:3PbskPKwV94hw

On Apache version 1.3.6, you can use ~apache/bin/htpasswd to generate a single account and password, but for commercial websites that require large amounts of data, you may need to write your own program Come to deal with it. On UNIX a call to crypt() is required to handle encoding.



After everything is set up, a password verification window will appear in the browser when connecting. The picture above is the user verification mechanism of SEEDNet's MySEED website. After entering the account number and password, the browser will encode it with BASE64 and transmit it to the server. Of course, BASE64 only encodes but does not encrypt, so the security of this kind of transmission on the Internet is still not high. It may still be intercepted by the executioner in the middle and then restored to BASE64. This is also the most flaw in the entire user authentication. Perhaps This problem can be solved by supporting Digest authentication and using MD5 encoding in the future. After that, each page still requires an account and password, but the browser will automatically send it out for you, so you no longer need to enter your account and password. This aspect will be retained until the browser is closed, and you will still need to enter it for the first time next time you re-execute the browser.

When the number of users is small, it is easy and trouble-free to use the above method. However, when there are tens of thousands or even hundreds of thousands of users, the efficiency of the entire server will be dragged down by searching for account passwords, and it may take tens of seconds to minutes to read a page. In this case, it would be unwise to use the password checking mechanism provided by the server. You can use NSAPI to develop your own checking methods on Netscape Enterprise Server, and you can also use ISAPI filters on IIS. It is always tiring to write C/C++ programs to call NSAPI/ISAPI. There is another choice in PHP, which is also the topic of this section.


PHP’s HTTP-related function library provides the header() function. Many web server-client interactions can use this function to do magic. For example, adding the following program at the beginning of a PHP page, that is, the first or second line, can redirect users to the author's webpage.


header("Location: http://wilson.gs");
exit;
?>


Of course, the HTML text or PHP program after the above program will never appear on the user side.

Similarly, we use header() to perform user authentication tricks. You can send a string to the user at the beginning of PHP, and the window shown below will appear on the user.


Header("WWW-Authenticate: Basic realm="Member"");
Header("HTTP/1.0 401 Unauthorized");
? >

In the program, the word Member in the string realm="Member" appears in the picture. Of course, if Chinese characters are used to replace it, Chinese characters will also appear on the browser, such as the MySEED picture above.If the web site user also speaks other languages, such as English or Japanese, it seems inappropriate to send a Chinese realm string. In any case, this will depend on the nature of the site and user orientation.

Of course, this is still very rough, because there is no further content except after sending the window. Whether the account number is entered correctly or incorrectly, there will be no results. We need more advanced programs to handle it.


In terms of back-end authentication, consider using a database as the back-end to store accounts and passwords. This architecture can accommodate many users, whether it is 10,000 users or 100,000 users. If your site already has hundreds of thousands of user accounts, congratulations, your site is considered a world-class site. MySQL is a good choice. Many websites, even commercial websites, use it as the back-end database. Of course, if you want to build a real commercial website and money is not an issue, you can use the most widely praised Oracle database series.

To use any database in PHP, you must first set up the server and client of the database, and then compile the PHP and Apache systems.

After preparing MySQL and PHP, first add a new database to MySQL. In this example, mymember is added. Of course, you can use another name. It is easy to add MySQL to a database (Database), just mkdir where MySQL stores the Database. For example, type under UNIX Shell

hahaha:/usr/local/mysql/data# mkdir mymember

After creating the database, you still need to create a data table (Table) before it can be used. The set table is as follows, you can store it in /tmp/memberauth.sql


CREATE TABLE MemberAuth (
Serial mediumint(9) NOT NULL auto_increment,
Username char(8 ) NOT NULL,
Password char(8) NOT NULL,
Enable char(1) DEFAULT '0' NOT NULL,
PRIMARY KEY (Serial)
);

File memberauth.sql

First look at these fields of memberauth.sql. Serial is an automatically incremented integer field. Every time a piece of data is entered, it will be automatically incremented by one. Of course, this cannot be an empty field, so NOT NULL is used. The second field is Username, which represents the user's account. For the sake of unification and adaptability to various systems, it is set to eight characters. Of course, this field cannot be empty. Password is the third field, which is the user's password. The fourth field, Enable, is used as a flag to indicate whether the account is valid. In design, 0 means useless and 1 means available. Other values ​​can be added in the future for different purposes.

After designing the data table, it is time to add the data table to the database. Since you often use the MySQL database, you can download phpMyAdmin from http://www.phpwizard.net/phpMyAdmin and use your browser to operate and manage MySQL, which is easy and convenient. If you use this set of phpMyAdmin, you can enter memberauth.sql in its user interface to join MySQL. Or you can enter the following formula in UNIX Shell, which will have the same effect.

mysql mymember < /tmp/memberauth.sql

After you are ready, you can enter the user account and password in the memberauth table. Of course, it is more convenient to use phpMyAdmin. Using the mysql program requires a series of INSERTs.

Then we entered the stage of designing functions.


file://--------------------------
// User authentication function auth.inc 
// Author: Wilson Peng 
// Copyright (C) 1999 
file://------------- -------------
$error401 = "/home/phpdocs/error/401.php";
if ($PHP_AUTH_PW=="") {
Header( "WWW-Authenticate: Basic realm="Super Gold Card Member"");
Header("HTTP/1.0 401 Unauthorized");
include($error401);
exit;
} else {

$db_id = mysql_pconnect("localhost", "myid", "mypw");
$result = mysql_db_query("mymember","select password, enable
from MemberAuth where username= '$PHP_AUTH_USER'");

$row = mysql_fetch_array($result);
$MemberPasswd = $row[0];
$MemberEnable = $row[1];
if ($MemberEnable==0) {
echo "Your account has been disabled";
exit;
}

if ($PHP_AUTH_PW!=$MemberPasswd) {
Header("WWW-Authenticate: Basic realm="Super Gold Card Member"");
Header("HTTP/1.0 401 Unauthorized");
include($error401);
exit;
}
}
?>

Copyright (C) 1999, Wilson Peng

To use this auth.inc, add .
Every PHP file added to this program will check the account and password, but pictures, etc. will not be checked. Compared with using the web server function to check all in a certain directory, PHP is much more flexible.

$error401 = "/home/phpdocs/error/401.php";

This line indicates what should be displayed to the user when the user presses Cancel or the check fails. file.

if ($PHP_AUTH_PW=="") {
Header("WWW-Authenticate: Basic realm="Super Gold Card Member"");
Header("HTTP/1.0 401 Unauthorized" );
include($error401); Among them,
$PHP_AUTH_USER and $PHP_AUTH_PW are special variables in PHP, which respectively represent the account and password confirmed by the user. The above program also uses these two variables to handle user authentication.

$db_id = mysql_pconnect("localhost", "myid", "mypw");
$result = mysql_db_query("mymember","select password, enable from
MemberAuth where username=' $PHP_AUTH_USER'");

$row = mysql_fetch_array($result);
$MemberPasswd = $row[0];
$MemberEnable = $row[1];

If the user has entered the account number and password, query the database. Also check whether the user is still available.

if ($MemberEnable==0) {
echo "Your account has been disabled";
exit;
}

The four lines above are the account number deactivated.

if ($PHP_AUTH_PW!=$MemberPasswd) {
Header("WWW-Authenticate: Basic realm="Super Gold Card Member"");
Header("HTTP/1.0 401 Unauthorized" );
include($error401);
exit;
}

If the password is incorrect, the user will be asked to enter their account number and password again.

In actual use, you can add the auth.inc file according to the webpage you need to add. You don’t have to check the password even when viewing a picture, which reduces the resources on both the server and the user. Of course, to connect to MySQL, you can use mysql_pconnect() to always connect to the MySQL server. Or use mysql_connect() to reconnect each time. When using this function, remember to use mysql_close() to close the database early. The following program auth1.inc is another version of the authentication program, which is an example of opening the connection and then closing it immediately to release resources.


file://--------------------------
// User authentication function-1 auth1.inc
// Author: Wilson Peng
// Copyright (C) 1999
file://------------ ---------------
$error401 = "/home/phpdocs/error/401.php";
if ($PHP_AUTH_PW=="") {
Header("WWW-Authenticate: Basic realm="Super Gold Card Member"");
Header("HTTP/1.0 401 Unauthorized");
include($error401);
exit;
} else {

$db_id = mysql_connect("localhost", "myid", "mypw");
$result = mysql_db_query("mymember","select password, enable
from MemberAuth where username='$PHP_AUTH_USER'");

$row = mysql_fetch_array($result);
$MemberPasswd = $row[0];
$MemberEnable = $row[1];
mysql_close($db_id);
if ($MemberEnable==0) {
echo "Your account has been disabled";
exit;
}

if ( $PHP_AUTH_PW!=$MemberPasswd) {
Header("WWW-Authenticate: Basic realm="Super Gold Card Member"");
Header("HTTP/1.0 401 Unauthorized");
include($ error401);
exit;
}
}
?>



http://www.bkjia.com/PHPjc/316617.html

www.bkjia.com

truehttp: //www.bkjia.com/PHPjc/316617.htmlTechArticleOn professional Web sites, the user's account and password are often required, which is an identity confirmation action. The early NCSA httpd server did not provide this user confirmation function,...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template