<?php
include 'db.inc';
function authenticateUser($connection,
$username,
$password)
{
// Test the username and password parameters
if (!isset($username) || !isset($password))
return false;
// Get the two character salt from the
// username collected from the challenge
$salt = substr($username, 0, 2);
// Encrypt the password collected from
// the challenge
$crypted_password = crypt($password, $salt);
// Formulate the SQL find the user
$query = "SELECT password FROM users
WHERE user_name = '$username'
AND password = '$crypted_password'";
// Execute the query
$result = @ mysql_query ($query,
$connection)
or showerror( );
// exactly one row? then we have found the user
if (mysql_num_rows($result) != 1)
return false;
else
return true;
}
?>
The authenticateUser( ) function developed in Example 9-7 is likely to be used in many scripts and writing the code to a authentication.inc file allows the function to be included in the scripts that require authentication. We could rewrite Example 9-4 to use the database authentication function by including the authentication.inc file:
<?php
include("authentication.inc");
include("db.inc");
include("error.inc");
// Connect to the MySQL server
// Connect to the Server
if (!($connection = mysql_connect($hostName,
$username, $password)))
die("Could not connect to database");
if (!mysql_selectdb("$databaseName, $connection)
showerror();
if !authenticateUser($connection,
$PHP_AUTH_USER,
$PHP_AUTH_PW)))
{
// No credentials found - send an unauthorized
// challenge response ...
header("WWW-Authenticate: Basic realm=\"Flat Foot\"");
header("HTTP/1.0 401 Unauthorized");
// ...
exit;
}
// The HTML response to authorized users ...
?>
MySQL encryption
MySQL provides the encryption function password( ) that can be used instead of the crypt( ) function; we introduced this function in Chapter 3. The MySQL password( ) function can be incorporated into the SQL update or insert queries:
$update_query =
"UPDATE users
SET password = password($password)
WHERE user_name = '$username'";
Like crypt( ), the MySQL password( ) function is a one-way function, but it is simpler to use because it doesn't require a salt string. However, when identical passwords are used, they are stored as identical encrypted strings. Another disadvantage to using the MySQL password( ) function is that the password is transmitted between the web server and the MySQL DBMS in its unencrypted form. We recommend that crypt( ) be used rather than the MySQL password( ) function when building web database applications.