Authentication using MYSQL

[lefteyecc]

Hey guys it's me again. Okay so far I've been helped out prety good by this site and it's users. But now I have a more advanced problem dealing with authentication. My problem is that my authentication script doesn't work. Can anyone help me out with it. Thanks

<?php
require("common.php");
require("globals.php");
function authenticate()
{
      header('[URL unfurl="true"]WWW-Authenticate:[/URL] Basic realm="administration"');
      header('HTTP/1.0 401 Unauthorized');
      printf("<script language\"javascript\" type=\"text/javascript\">alert(\"Please Login\"); </script>");
} 
/*if(!$_SESSION['allowed'] == TRUE)
{
    header("Location: [URL unfurl="true"]http://".$_SERVER[/URL]['HTTP_HOST'] 
                     .dirname($_SERVER['PHP_SELF']) 
                     ."/login"); 
} */        
if((!isset($_SERVER['PHP_AUTH_USER'])) || ($_POST['login']))
{
     authenticate();
}
else
{
    $user = $_SERVER['PHP_AUTH_USER'];
    $passwd = $_SERVER['PHP_AUTH_PW'];
    if($result = execute_query("SELECT uid passwd FROM auth WHERE uname='$user'", 0))
    {
        $auth_parms = mysql_fetch_object($result[0], 0);
        //echo "uname == ".$auth_parms->uname." passwd == ".$auth_parms->passwd;
        if($auth_parms->passwd == $passwd)
        {
            session_start();
            $_SESSION['allowed'] = TRUE;
            execute_query("INSERT INTO auth SET sessionid='SID' WHERE uid='$auth_parms->uid'";
            header("Location: [URL unfurl="true"]http://".$_SERVER[/URL]['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/admin");
        }
        else
        {
            printf("<script language=\"javascript\" type=\"text/javascript\">alert(\"Invalid username or password\");</script>");
            authenticate();
        }
    }
}
//echo "uname == ".$auth_parms->uname
echo "user == ".$_SERVER['PHP_AUTH_USER']." passwd == ".$_SERVER['PHP_AUTH_PW'];
printf("<center><div class=\"content\"><table class=\"content\">
        <form name=\"login_admin\" method=\"post\" action =\"%s\">
        <input type=\"submit\" value=\"login\" name=\"login\">
        </form></table></div>", $_SERVER['PHP_SELF']);
printf("<p>login to access administrative portion of website</p>");
generate_adminpage_footer(); 
?>

The problem is that I can't get it to authenticate even tho my information entered is correct.

 

[jpadie]

are you using apache as a web server?
and if so are you using php as an apache module or cgi ?

http auth over php only works if use use apache and php as an apache mod.

if none of the above applies, could you be more specific about what doesn't work and what debugging you've done?

 

[lefteyecc]

PHP is compiled as a module for apache. I know because the php I have installed is mod_php. Also when I echo out the variable values using the PHP_AUTH_* variables I see their values. How ever I have a feeling something is not going through to the sql server but I have no idea how to be sure, it's not I think evaluating the sql code block. BTW execute query is a wrapper function for the PHP mysql functions which I use to connect to and execute queries on my mysql server.

execue_query)'query', 'link')

is the function prototype

Also I have a table setup on my mysql database the setup is

auth
{
SMALLINT uid;
VARCHAR(32) passwd;
VARCHAR(15) uname;
INT sessionid;
VARCHAR(32) cookie;
INT(15) ip;
}

I assume that it goes through to the server but I dunno why it's not allowing access tot he site.

 

[lefteyecc]

wait a minute I think I figured it out. If I send a header to the web page for authentication does that mean that I need to use a file and not a database? If so then I'll just use a regular file for authentication.