PHP and MySQL Web Development - P69 ppsx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (74.45 KB, 5 trang )
312
Chapter 14 Implementing Authentication with PHP and MySQL
Listing 14.9 .htaccess—This .htaccess File Authenticates Users Against a MySQL
Database
ErrorDocument 401 /chapter14/rejection.html
AuthName "Realm Name"
AuthType Basic
Auth_MySQL_DB auth
Auth_MySQL_Encryption_Types MySQL
Auth_MySQL_Password_Table auth
Auth_MySQL_Username_Field name
Auth_MySQL_Password_Field pass
require valid-user
You can see that much of Listing 14.9 is the same as Listing 14.7.We are still specifying
an error document to display in the case of error 401 (when authentication fails).We
again specify basic authentication and give a realm name. As in Listing 14.7, we will
allow any valid, authenticated user access.
Because we are using mod_auth_mysql and did not want to use all the default set-
tings, we have some directives to specify how this should work. Auth_MySQL_DB,
Auth_MySQL_Password_Table, Auth_MySQL_Username_Field, and
Auth_MySQL_Password_Field specify the name of the database, the table, the username
field, and the password field, respectively.
We are including the directive Auth_MySQL_Encryption_Types to specify that we
want to use MySQL password encryption. Acceptable values are
Plaintext, Crypt_DES,
or MySQL. Crypt_DES is the default, and uses standard UNIX DES–encrypted passwords.
From the user perspective, this mod_auth_mysql example will work in exactly the
same way as the mod_auth example. She will be presented with a dialog box by her Web
browser. If she successfully authenticates, she will be shown the content. If she fails, she
will be given our error page.
For many Web sites, mod_auth_mysql is ideal. It is fast, relatively easy to implement,
and allows you to use any convenient mechanism to add database entries for new users.
For more flexibility, and the ability to apply fine-grained control to parts of pages, you
might want to implement your own authentication using PHP and MySQL.
Creating Your Own Custom Authentication
We have looked at creating our own authentication methods including some flaws and
compromises and using built-in authentication methods, which are less flexible than
writing your own code. Later in the book, when we have covered session control, you
will be able to write your own custom authentication with fewer compromises than in
this chapter.
18 525x ch14 1/24/03 3:37 PM Page 312
313
Next
In Chapter 20,“Using Session Control in PHP,” we will develop a simple user
authentication system that avoids some of the problems we have faced here by using ses-
sions to track variables between pages.
In Chapter 24,“Building User Authentication and Personalization,” we apply this
approach to a real-world project and see how it can be used to implement a fine grained
authentication system.
Further Reading
The details of HTTP authentication are specified by RFC 2617, which is available at
/>The documentation for mod_auth, which controls basic authentication in Apache, can be
found at
/>The documentation for mod_auth_mysql is inside the download archive. It is a tiny
download, so even if you just want to find out more about it, downloading the archive
to look at the readme is not silly.
Next
The next chapter explains how to safeguard data at all stages of processing from input,
through transmission, and in storage. It includes the use of SSL, digital certificates, and
encryption.
18 525x ch14 1/24/03 3:37 PM Page 313
18 525x ch14 1/24/03 3:37 PM Page 314
15
Implementing Secure Transactions
with PHP and MySQL
IN THIS CHAPTER
,WE WILL EXPLAIN HOW
to deal with user data securely from input,
through transmission, and in storage.This will allow us to implement a transaction
between us and a user securely from end to end.Topics include
n
Providing secure transactions
n
Using Secure Sockets Layer (SSL)
n
Providing secure storage
n
Why are you storing credit card numbers?
n
Using encryption in PHP
Providing Secure Transactions
Providing secure transactions using the Internet is a matter of examining the flow of
information in your system and ensuring that at each point, your information is secure.
In the context of network security, there are no absolutes. No system is ever going to be
impenetrable. By secure we mean that the level of effort required to compromise a sys-
tem or transmission is high compared to the value of the information involved.
If we are to direct our security efforts effectively, we need to examine the flow of
information through all parts of our system.The flow of user information in a typical
application, written using PHP and MySQL, is shown in Figure 15.1.
19 525x ch15 1/24/03 3:41 PM Page 315
316
Chapter 15 Implementing Secure Transactions with PHP and MySQL
Figure 15.1 User information is stored or processed by the following ele-
ments of a typical Web application environment.
The details of each transaction occurring in your system will vary, depending both on
your system design and on the user data and actions that triggered the transaction.You
can examine all of these in a similar way. Each transaction between a Web application
and a user begins with the user’s browser sending a request through the Internet to the
Web server. If the page is a PHP script, the Web server will delegate processing the page
to the PHP engine.
The PHP script might read or write data to disk. It might also include() or
require() other PHP or HTML files. It will also send SQL queries to the MySQL dae-
mon and receive responses.The MySQL engine is responsible for reading and writing its
own data on disk.
This system has three main parts:
n
The user’s machine
n
The Internet
n
Your system
We will look at security considerations for each separately, but obviously the user’s
machine and the Internet are largely out of your control.
The User’s Machine
From our point of view, the user’s machine is running a Web browser.We have no con-
trol over other factors such as how securely the machine is set up.We need to bear in
mind that the machine might be very insecure or even a shared terminal at a library,
school, or café.
Many different browsers are available, each having slightly different capabilities. If we
only consider recent versions of the most popular two browsers, most of the differences
between them only affect how HTML will be rendered and displayed, but there are
security or functionality issues that we need to consider.
User’s
Browser
Stored
Pages &
Scripts
Web
Server
Data
Files
PHP
Engine
MySQL
Data
MySQL
Engine
Internet
19 525x ch15 1/24/03 3:41 PM Page 316
