0 401 Unauthorized");
exit;
}
if(! isset($_SERVER['PHP_AUTH_USER'])) {
authenticate_user();
} else {
mysql_connect("localhost","authenticator","secret")
or die("Can't connect to database server!");
mysql_select_db("corporate")
or die("Can't select authentication database!");
$query = "SELECT username, pswd FROM logins
WHERE username='$_SERVER[PHP_AUTH_USER]'
AND pswd=MD5('$_SERVER[PHP_AUTH_PW]')
AND ip='$_SERVER[REMOTE_ADDR]'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 0)
authenticate_user();
else
echo "Welcome to the secret archive!";
mysql_close();
} # end if
?>
CHAPTER 14 ?– AUTHENTICATING YOUR USERS 377
Although this additional layer of security works quite well, keep in mind it is not
foolproof. The practice of IP spoofing, or tricking a network into thinking that traffic
is emanating from a particular IP address, has long been a tool in the savvy attacker??™s
toolbox. Therefore, if such an attacker gains access to a user??™s username and password,
they could conceivably circumvent your IP-based security obstacles.
Taking Advantage of PEAR: Auth_HTTP
While the approaches to authentication discussed thus far work just fine, it??™s always
nice to hide some of the implementation details within a class. The PEAR class
Auth_HTTP satisfies this desire quite nicely, taking advantage of Apache??™s authentication
mechanism and prompt (see Figure 14-1) to produce an identical prompt but
using PHP to manage the authentication information.
Pages:
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454