|
So there are times when you want to write a PHP script accesibile only to you, or a select few. The answer to your needs is using a password. There is more than one way to password-protect a script, but we're going to talk about the most efficient one: HTTP Authorization, as implemented in PHP. HTTP Authorization has been available for some time now, and is usually achieved by using ".htpasswd" files, along with accompanying ".htpasswd". But since PHP arrived, HTTP password protection became much easier.
The first step in protecting a script with HTTP Auth is to make that script send HTTP Code 401 to users that don't send a username/password pair, which means "You need to send a password to see me". This is easily achieved in PHP via the Header() function.
The code flow on that is, using the $auth variable to describe the authorization state of the current user:
if ( $auth != 1 ) { //if the user isn't authenticated
header( "WWW-Authenticate: Basic realm="Authorization Required!"" ); //this makes the browser generate a login box
header( "HTTP/1.0 401 Unauthorized" ); //this tells the browser that further viewing is not permitted
echo 'Authorization Required!'; //and this gets echoed if the user doesn't enter the correct username/password pair
exit; //this makes the script exit, and the user session ends. No script for you!
}
Basically what that means is that any user not sending in his HTTP request a correct user/password pair is not going to see the page, and have a standard HTTP Login box appear (generated by his web browser). As we previously discussed this, HTTP Authorization is a long user method and 99% of browsers are fully capable of handling this sort of message. So, if no password is entered, a user gets booted. But if a password is entered, how do we check it? Well, PHP has two built-in variables especially for this method. They are $PHP_AUTH_USER and $PHP_AUTH_PW. These contain the username, and respectively the password, that the web user has entered. These should be compared with a stored value, and if the username/password combination is correct, the HTTP 401 Code will not be repeated and the script will be executed.
The code on that looks like this:
$auth = 0; // Assume user is not authenticated
if (($PHP_AUTH_USER == "foo" ) && ($PHP_AUTH_PW == "bar" )) $auth = 1; //If all is well, consider the user authenticated
So that means that if the user has entered the correct username/password pair, the $auth variable will be set to "1", hence the authorization header will not be sent, and the script won't exit().
Of course comparing the $PHP_AUTH_* variables to another string can be a lot more creative than that. For example, you could use a MySQL database table to store username/password combinations, and then check the pair sent by the user to one of these. This way you can also get user-sensitive material on your website. Read phpFreak's "MySQL with PHP" categoryof tutorials for more info on using PHP to access MySQL databases.
Finally, here's the final code that should be added to your script to make it HTTP Authorization dependant. Remember! You have to add this at the beginning of your script, before anything is actually sent to the user's browser, since Header()s aren't headers if they don't come first.
\
header\(string header \[, bool replace, \[int http_response_code\]\]\)\
Sends a raw HTTP header', CAPTION, 'header');" onmouseout="return nd();">header( "WWW-Authenticate: Basic realm="Authorization Required!"" ); header( "HTTP/1.0 401 Unauthorized" ); echo 'Authorization Required!'; exit; } ... your script goes here ... Credit: www.phpfreaks.com
|
Tutorial 
