PHP and MySQL Web Development - P65 ppsx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (117.14 KB, 5 trang )
292
Chapter 13 E-commerce Security Issues
Occasional brief power failures are a fact of life in most places. In locations with
harsh weather and above ground wires, long failures occur regularly. If the continuous
operation of your systems is important to you, you should invest in an uninterruptible
power supply (UPS). A UPS that will power a single machine for 10 minutes will cost
less than $300 (U.S.).Allowing for longer failures, or more equipment, can get expensive.
Long power failures really require a generator to run air conditioning as well as
computers.
Like power failures, network outages of minutes or hours are out of your control and
bound to occur occasionally. If your network is vital, it makes sense to have connections
to more than one Internet service provider. It will cost more to have two connections,
but should mean that, in case of failure, you have reduced capacity rather than becoming
invisible.
These sorts of issues are some of the reasons you might like to consider co-locating
your machines at a dedicated facility. Although one medium-sized business might not be
able to justify a UPS that will run for more than a few minutes, multiple redundant net-
work connections, and fire suppression systems, a quality facility housing the machines of
a hundred similar businesses can.
Next
In Chapter 14, we will look specifically at authentication—allowing your users to prove
their identity.We will look at a few different methods, including using PHP and MySQL
to authenticate your visitors.
17 525x ch13 1/24/03 3:37 PM Page 292
14
Implementing Authentication with
PHP and MySQL
THIS CHAPTER WILL DISCUSS HOW TO IMPLEMENT
various PHP and MySQL techniques
for authenticating a user.
Topics include
n
Identifying visitors
n
Implementing access control
n
Basic authentication
n
Using basic authentication in PHP
n
Using Apache’s .htaccess basic authentication
n
Using basic authentication with IIS
n
Using mod_auth_mysql authentication
n
Creating your own custom authentication
Identifying Visitors
The Web is a fairly anonymous medium, but it is often useful to know who is visiting
your site. Fortunately for visitors’ privacy, you can find out very little about them with-
out their assistance.
With a little work, servers can find out quite a lot about computers and networks that
connect to them. A Web browser will usually identify itself, telling the server what
browser, browser version, and operating system you are running.You can determine what
resolution and color depth visitors’ screens are set to and how large their Web browser
windows are.
18 525x ch14 1/24/03 3:36 PM Page 293
294
Chapter 14 Implementing Authentication with PHP and MySQL
Each computer connected to the Internet has a unique IP address. From a visitor’s IP
address, you might be able to deduce a little about her.You can find out who owns an IP
and sometimes have a reasonable guess as to a visitor’s geographic location. Some
addresses will be more useful than others. Generally people with permanent Internet
connections will have a permanent address. Customers dialing into an ISP will usually
only get the temporary use of one of the ISP’s addresses.The next time you see that
address, it might be being used by a different computer, and the next time you see that
visitor, she will likely be using a different IP address.
Fortunately for Web users, none of the information that their browsers give out
identifies them. If you want to know a visitor’s name or other details, you will have to
ask her.
Many Web sites provide compelling reasons to get users to provide their details.The
New York Times newspaper () provides its content for free, but
only to people willing to provide details such as name, sex, and total household income.
Nerd news and discussion site Slashdot () allows registered
users to participate in discussions under a nickname and customize the interface they
see. Most e-commerce sites record their customers’ details when they make their first
order.This means that a customer is not required to type her details every time.
Having asked for and received information from your visitor, you need a way to asso-
ciate the information with the same user the next time she visits. If you are willing to
make the assumption that only one person visits your site from a particular account on a
particular machine and that each visitor only uses one machine, you could store a cookie
on the user’s machine to identify the user.This is certainly not true for all users—
frequently, many people share a computer and many people use more than one comput-
er. At least some of the time, you will need to ask a visitor who she is again. In addition
to asking who a user is, you will also need to ask a user to provide some level of proof
that she is who she claims to be.
As discussed in Chapter 13,“E-commerce Security Issues,” asking a user to prove her
identity is called authentication.The usual method of authentication used on Web sites is
asking visitors to provide a unique login name and a password. Authentication is usually
used to allow or disallow access to particular pages or resources, but can be optional, or
used for other purposes such as personalization.
Implementing Access Control
Simple access control is not difficult to implement.The code shown in Listing 14.1
delivers one of three possible outputs. If the file is loaded without parameters, it will dis-
play an HTML form requesting a username and password.This type of form is shown in
Figure 14.1.
18 525x ch14 1/24/03 3:36 PM Page 294
295
Implementing Access Control
Figure 14.1 Our HTML form requests that visitors
enter a username and password for access.
If the parameters are present but not correct, it will display an error message. Our error
message is shown in Figure 14.2.
Figure 14.2 When users enter incorrect details, we need to
give them an error message. On a real site, you might
want to give a somewhat friendlier message.
If these parameters are present and correct, it will display the secret content. Our test
content is shown in Figure 14.3.
The code to create the functionality shown in Figures 14.1, 14.2, and 14.3 is shown
in Listing 14.1.
18 525x ch14 1/24/03 3:36 PM Page 295
296
Chapter 14 Implementing Authentication with PHP and MySQL
Figure 14.3 When provided with correct details, our
script will display content.
Listing 14.1 secret.php—PHP and HTML to Provide a Simple Authentication
Mechanism
<?php
//create short names for variables
@ $name = $HTTP_POST_VARS['name'];
@ $password = $HTTP_POST_VARS['password'];
if(empty($name)||empty($password))
{
//Visitor needs to enter a name and password
?>
<h1>Please Log In</h1>
This page is secret.
<form method="post" action="secret.php">
<table border="1">
<tr>
<th> Username </th>
<td> <input type="text" name="name"> </td>
</tr>
<tr>
<th> Password </th>
<td> <input type="password" name="password"> </td>
</tr>
<tr>
<td colspan="2" align="center">
<input type="submit" value="Log In">
</td>
</tr>
</table>
</form>
18 525x ch14 1/24/03 3:36 PM Page 296
