Posted by Rik on 03/07/07 12:53

Els <els.aNOSPAM@tiscali.nl> wrote:
> Rik wrote:
>> Els <els.aNOSPAM@tiscali.nl> wrote:
>>
> [using http authentication to protect one page of a cms component]
>>> If possible, I'd like it to check against usernames that are already=

>>> in the database, and which have certain rights, but I'm happy alread=
y
>>> if I can just set any username/password.
>>
>> Well, just check them against the database (mysql?):
>>
>> <?php
>> $verified =3D false;
>> if(isset($_SERVER['PHP_AUTH_USER'])){
>> $user =3D mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
>> $result =3D mysql_query("SELECT `passwd` FROM `tablename` WHERE `use=
r` =3D
>> '$user'");
>> if(mysql_num_rows($result) =3D=3D 1){
>> $row =3D mysql_fetch_assoc($result);
>> if($row['passwd']=3D=3D$_SERVER['PHP_PW']) $verified =3D true;
>> }
>> }
>> if(!$verfied){
>> header('WWW-Authenticate: Basic realm=3D"My Realm"');
>> header('HTTP/1.0 401 Unauthorized');
>> echo 'Text to send if user hits Cancel button';
>> exit;
>> }
>> ?>
>
> I can't seem to get that one to work.
> The passwords in the database are encoded though, would that cause the=

> trouble?


Indeed, you'd have to use similar encoding on $_SERVER['PHP_PW']. There =
=

are various functions and encodings available to you, you'll have to kno=
w =

which is used. (Often just md5 or sha1.)

-- =

Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

[Back to original message]