PHP

Authentication script

When the login <form> is submitted, the POST variables are processed by the authentication script shown in Example 9-9. The authentication is performed by passing a handle to a connected MySQL server, the username, and the password to the function authenticateUser( ). The function executes a query to find the user row with the same username and encrypted password. As with the code in Example 9-7, we use the first two characters from the username as the salt string to the crypt( ) function.

The Boolean control variable $authenticated is set to the return value of the authenticateUser( ) function. If $authenticated is true, the username is registered as the $authenticatedUser session variable and the IP address of the client machine from which the request originated as the $loginIpAddress session variable.

If the authentication fails and $authenticated is set to false, the $loginMessage session variable is registered containing the appropriate message to display on the login <form> as shown in Figure 9-3. In Example 9-9 we always relocate back to the login page, keeping the code reasonably simple. An alternative would be to relocate back to a customer welcome page when authentication succeeds and relocate back to the login page only when authentication fails.

Example 9-9. Authentication script
<?php
include 'db.inc';
include 'error.inc';
function authenticateUser($connection,
                          $username,
                          $password)
{
  // Test that the username and password
  // are both set and return false if not
  if (!isset($username) || !isset($password))
    return false;
  // Get the two character salt from the username
  $salt = substr($username, 0, 2);
  // Encrypt the password
  $crypted_password = crypt($password, $salt);
  // Formulate the SQL query find the user
  $query = "SELECT password FROM users
               WHERE user_name = '$username'
               AND password = '$crypted_password'";
  // Execute the query
  $result = @ mysql_query ($query,
                           $connection)
  or showerror(  );
  // exactly one row? then we have found the user
  if (mysql_num_rows($result) != 1)
    return false;
  else
    return true;
}
// Main ----------
  session_start(  );
  $authenticated = false;
  // Clean the data collected from the user
  $appUsername =
    clean($HTTP_POST_VARS["formUsername"], 10);
  $appPassword =
    clean($HTTP_POST_VARS["formPassword"], 15);
  // Connect to the MySQL server
  $connection = @ mysql_connect($hostname,
                                $username,
                                $password)
  or die("Cannot connect");
  if (!mysql_selectdb($databaseName,
                      $connection))
      showerror()
  $authenticated = authenticateUser($connection,
                                    $appUsername,
                                    $appPassword);
  if ($authenticated == true)
  {
    // Register the customer id
    session_register("authenticatedUser");
    $authenticatedUser = $appUsername;
    // Register the remote IP address
    session_register("loginIpAddress");
    $loginIpAddress = $REMOTE_ADDR;
  }
  else
  {
    // The authentication failed
    session_register("loginMessage");
    $loginMessage =
      "Could not connect to the winestore " .
      "database as \"$appUsername\"";
  }
  // Relocate back to the login page
  header("Location: example.9-8.php");
?>

Logout script

A separate script is called when a user logs out of the application. Example 9-10 shows the script that unregisters the $authenticatedUser session variable, registers the $loginMessage variable containing the appropriate message, and relocates back to the login script. The login script checks if the $loginMessage session variable is registered and displays the message that the user has logged out.

Example 9-10. Logout script
<?php
  session_start(  );
  $appUsername =
     $HTTP_SESSION_VARS["authenticatedUser"];
  $loginMessage =
    "User \"$appUsername\" has logged out";
  session_register("loginMessage");
  session_unregister("authenticatedUser");
  // Relocate back to the login page
  header("Location: example.9-8.php");
?>

by BrainBellupdated
Advertisement: