Authentication script
When the login <form> is submitted, the POST variables are processed by the authentication script shown in Example 9-9. The authentication is performed by passing a handle to a connected MySQL server, the username, and the password to the function authenticateUser( ). The function executes a query to find the user row with the same username and encrypted password. As with the code in Example 9-7, we use the first two characters from the username as the salt string to the crypt( ) function.
The Boolean control variable $authenticated is set to the return value of the authenticateUser( ) function. If $authenticated is true, the username is registered as the $authenticatedUser session variable and the IP address of the client machine from which the request originated as the $loginIpAddress session variable.
If the authentication fails and $authenticated is set to false, the $loginMessage session variable is registered containing the appropriate message to display on the login <form> as shown in Figure 9-3. In Example 9-9 we always relocate back to the login page, keeping the code reasonably simple. An alternative would be to relocate back to a customer welcome page when authentication succeeds and relocate back to the login page only when authentication fails.
Example 9-9. Authentication script
<?php
include 'db.inc';
include 'error.inc';
function authenticateUser($connection,
$username,
$password)
{
// Test that the username and password
// are both set and return false if not
if (!isset($username) || !isset($password))
return false;
// Get the two character salt from the username
$salt = substr($username, 0, 2);
// Encrypt the password
$crypted_password = crypt($password, $salt);
// Formulate the SQL query find the user
$query = "SELECT password FROM users
WHERE user_name = '$username'
AND password = '$crypted_password'";
// Execute the query
$result = @ mysql_query ($query,
$connection)
or showerror( );
// exactly one row? then we have found the user
if (mysql_num_rows($result) != 1)
return false;
else
return true;
}
// Main ----------
session_start( );
$authenticated = false;
// Clean the data collected from the user
$appUsername =
clean($HTTP_POST_VARS["formUsername"], 10);
$appPassword =
clean($HTTP_POST_VARS["formPassword"], 15);
// Connect to the MySQL server
$connection = @ mysql_connect($hostname,
$username,
$password)
or die("Cannot connect");
if (!mysql_selectdb($databaseName,
$connection))
showerror()
$authenticated = authenticateUser($connection,
$appUsername,
$appPassword);
if ($authenticated == true)
{
// Register the customer id
session_register("authenticatedUser");
$authenticatedUser = $appUsername;
// Register the remote IP address
session_register("loginIpAddress");
$loginIpAddress = $REMOTE_ADDR;
}
else
{
// The authentication failed
session_register("loginMessage");
$loginMessage =
"Could not connect to the winestore " .
"database as \"$appUsername\"";
}
// Relocate back to the login page
header("Location: example.9-8.php");
?>