Users often need to restrict access to certain important files or information when designing and maintaining a site. In general, we can use the HTTP protocol based user authentication mechanism built into the Web server. When a visitor browses to a protected page, the client browser pops up a dialog window requiring the user to enter a username and password and authenticate the user to determine whether the user has access to the page. The following two methods are used to illustrate the principle of its implementation.
First , the use of HTTP headers to achieve
Headers are strings sent by the server before sending HTML information to the browser with the HTTP protocol. HTTP uses a challenge/response pattern to authenticate users who attempt to enter a password-protected area. Specifically, when a user first sends a request to a Web server to access a protected zone, the challenge process is started and the server returns a special 401 header indicating that the user is not authenticated. The client browser automatically pops up a dialog box after detecting the above response, requiring the user to enter a username and password. After the user completes the input and clicks OK, the identity information is transmitted to the server for verification. If the user enters a user name and password that is valid, the Web server will allow the user to enter the protected area and maintain the validity of its identity throughout the access process. Conversely, if a user enters a user name or password that is not authenticated, the client browser pops up the input window and asks the user to try to enter the correct information again. The entire process will continue until the user enters the correct information location, or it can set the maximum number of times the user is allowed to try, and the user's access request will be automatically rejected when it is exceeded.
In the PHP script, use the function header () directly to the client's browser to send HTTP headers, so that the client will automatically pop-up user name and Password Input window to achieve our identity authentication function. In PHP, the information entered by the client user is automatically stored in the $PHP _auth_user, $PHP _AUTH_PW, and the three global variables $PHP _auth_type. Using these three variables, we can verify the user identity according to the user account information stored in the data file or database!
However, it is necessary to remind the user that only $php_auth_user can be used in a modular installation of PHP, $PHP _AUTH_PW, and $PHP _auth_type three variables. If you are using a CGI-mode PHP, you will not be able to implement the validation function. The modular approach to installing PHP is attached to this section of this section.
Below we use the MySQL database to store the user's identity. We need to extract each account username and password from the database in order to compare with $php_auth_user and $PHP_AUTH_PW variables to judge the authenticity of the user.
First, create a database that holds user information in MySQL
The database name is Xinxiku, the table name is user, and the table is defined as follows:
CREATE TABLE User (
ID INT (4) Not NULL auto_increment,
Name VARCHAR (8) Not NULL,
Password CHAR (8) Not NULL,
PRIMARY KEY (ID)
)
Description
1, ID for a serial number, not zero and automatically increase, the main key;
2, name is user name, cannot be empty;
3, password for the user password, can not be empty;
The following is a user authentication file login.php
Determine if the user name is set
if (!isset ($PHP _auth_user))
{
Header ("Www-authenticate:basic realm=" authentication feature "");
Header ("http/1.0 401 Unauthorized");
echo "Authentication failed, you do not have permission to share network resources!";
Exit ();
}
/* Connection Database * *
$db =mysql_connect ("localhost", "root", "");
Select Database
mysql_select_db ("Xinxiku", $db);
Querying whether a user exists
$result =mysql_query ("select * from user where name= ' $PHP _auth_user ' and password= ' $PHP _auth_pw '", $db);
if ($myrow = Mysql_fetch_row ($result))
{
The following are related actions after the success of authentication
...
}
Else
{
Authentication unsuccessful, prompting user to re-enter
Header ("Www-authenticate:basic realm=" authentication feature "");
Header ("http/1.0 401 Unauthorized");
echo "Authentication failed, you do not have permission to share network resources!";
Exit ();
}
?>
Program Description:
In your program, first check to see if the variable $php_auth_user is set. If there is no setting, it is necessary to verify that the script emits HTTP 401 error number, tells the client's browser to authenticate, an authentication window pops up from the client's browser, prompts the user for a username and password, joins the database after the input completes, queries the username and password correctly, If correct, allow the login to do the relevant operation, if not correct, continue to require the user to enter a username and password.
Function Description:
1, Isset (): To determine whether a variable has been assigned. Returns TRUE or false based on whether the value of the variable exists
2, Header (): Used to send a specific HTTP header. Note that when using the header () function, be sure to call the function before any HTML or PHP code that produces the actual output.
3, mysql_connect (): Open the MySQL server connection.
4, Mysql_db_query (): Send query string (queries) to the MySQL database.
5, Mysql_fetch_row (): Returns a single column of each field.
second, implement server verification with session
For pages that require authentication, it is best to use the Apache server authentication. However, the Apache server verifies that the interface is not friendly enough. Also, PHP in the php,iis of CGI mode cannot be authenticated using Apache server. In this way, we can use session to save user identities between different pages to achieve the purpose of authentication.
On the back end we also use the MySQL database above to store user information.
We first write a user login interface, file name login.php, code post:
____________________________________________________________
<form action= "login1.php" >
User name: <input type= "text" name= "name" ><br>
Password: <input type= "text" name= "pass" ><br>
<input type= "Submit" value= "Login" >
</form>
____________________________________________________________
login1.php Process the submitted form with the following code:
$db =mysql_connect ("localhost", "root", "");
mysql_select_db ("Xinxiku", $db);
$result =mysql_query ("select * from user where name= ' $name ' and password= ' $pass '", $db);
if ($myrow = Mysql_fetch_row ($result))
{
Registered users
Session_Start ();
Session_register ("user");
$user = $myrow ["User"];
Authentication successful, related actions
...
}
Else
{
echo "Authentication failed, you do not have permission to share network resources!";
}
?>
It should be explained here that users can use **http://domainname/next.php?user= username * * To bypass authentication in subsequent operations. Therefore, the subsequent operation should first check whether the variable is registered: registered, then do the appropriate action, otherwise considered illegal login. The relevant code is as follows:
Session_Start ();
if (!session_is_registered ("user"))
{
echo "Authentication failed, belongs to illegal login!";
}
Else
{
Successful login for related actions
...
}
?>
Appendix: PHP installation method in modular manner
1, first download the file: Mod_php4-4.0.1-pl2. [If you are not PHP4, then quickly upgrade it!]
After unraveling, there are three files: Mod_php4.dll, mod_php4.conf, readme.txt
2, Related documents copy
Copy the Mod_php4.dll to the modules directory of the Apache installation directory
Copy the mod_php4.conf to the Conf directory of the Apache installation directory
Copy the Msvcrt.dll file under the Apache installation directory
3, open the conf/srm.conf file, in which add a sentence
Include conf/mod_php4.conf
Before doing this, please remove all of your httpd.conf statements about the CGI schema, which is similar to the following section!
scripalias/php4/"c:/php4/"
AddType application/x-httpd-php4. php
AddType APPLICATION/X-HTTPD-PHP4. php3
AddType APPLICATION/X-HTTPD-PHP4. PhP4
Action Application/x-httpd-php4/php4/php.exe
There is no problem in getting PHP to support more suffix names. In the given profile mod_php4.conf has supported three suffix names PHP,PHP3,PHP4, if you also want to support more suffix names can change this file, very simple.
4, testing
With A;? Phpinfo ();?> test. You will see that the value of the server API is Apache, not CGI, and that there is information about HTTP Headers information.