Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Does this Auth script have an unwanted loop?
- Phil Latio
November 1, 2006, 7:09 pm
rate this thread
However it seems to me to fatal flaw that if you run it but type in the
wrong the details, you're basically buggered. As far as I can see, whatever
is initially entered into PHP_AUTH_USER and PHP_AUTH_PW are stored and then
compared against the database. However #10 simply looks for the presence of
data in PHP_AUTH_USER and PHP_AUTH_PW, finds something and compares it
again in a loop you cannot break out of.
Can someone confirm what I am saying or have I missed something obvious.
/* Program: Auth.php
* Desc: Program that prompts for a user name and
* password from the user using HTTP authentication.
* The program then tests tests whether the user
* name and password match a user name and password
* pair stored in a MySQL database.
//Testing whether the user has been prompted for a user name
if (!isset($_SERVER['PHP_AUTH_USER'])) #10
header('WWW-Authenticate: Basic realm="secret section"');
header('HTTP/1.0 401 Unauthorized'); #13
exit("This page requires authentication!"); #14
// Testing the user name and password entered by the user
$user_name = trim($_SERVER['PHP_AUTH_USER']);
$connection = mysqli_connect($host, $user, $passwd) or die("Couldn't
connect to server."); #24
$db = mysqli_select_db($connection, $database) or
die("Couldn't select database.");
"SELECT user_name FROM Valid_User WHERE user_name = '$user_name' AND
password = md5('$user_password')";
$result = mysqli_query($connection, $sql) or die("Couldn't execute
$num = mysqli_num_rows($result);
if ($num < 1) // user name/password not found #33
exit("The User Name or password you entered is not valid.<br>");
// Web page content. #39
include ("Welcome.inc"); #40
Re: Does this Auth script have an unwanted loop?
Looks you are right. Please consider the examples on
When user provided wrong credentials, the 401 error should be sent
http://www.alexatnet.com/ - PHP/ZendFramework/Ajax blog