Does this Auth script have an unwanted loop?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Found the below script in a book I am reading.

However it seems to me to fatal flaw that if you run it but type in the  
wrong the details, you're basically buggered. As far as I can see, whatever  
is initially entered into PHP_AUTH_USER and PHP_AUTH_PW are stored and then  
compared against the database. However #10 simply looks for the presence of  
data in  PHP_AUTH_USER and PHP_AUTH_PW, finds something and compares it  
again in a loop you cannot break out of.

Can someone confirm what I am saying or have I missed something obvious.



/* Program: Auth.php
 * Desc:    Program that prompts for a user name and
 *          password from the user using HTTP authentication.
 *          The program then tests tests whether the user
 *          name and password match a user name and password
 *          pair stored in a MySQL database.

//Testing whether the user has been prompted for a user name
if (!isset($_SERVER['PHP_AUTH_USER'])) #10
    header('WWW-Authenticate: Basic realm="secret section"');
    header('HTTP/1.0 401 Unauthorized');        #13
    exit("This page requires authentication!"); #14
}                                               #15

// Testing the user name and password entered by the user
    $user_name    = trim($_SERVER['PHP_AUTH_USER']);  
    $user_password= trim($_SERVER['PHP_AUTH_PW']);
    $connection   = mysqli_connect($host, $user, $passwd) or die("Couldn't  
connect to server."); #24
    $db           = mysqli_select_db($connection, $database) or  
die("Couldn't select database.");
    $sql          =
        "SELECT user_name FROM Valid_User WHERE user_name = '$user_name' AND  
password = md5('$user_password')";
    $result       = mysqli_query($connection, $sql) or die("Couldn't execute  
query."); #31
    $num          = mysqli_num_rows($result);  

    if ($num < 1)   // user name/password not found        #33
        exit("The User Name or password you entered is not valid.<br>");
    } #37
}     #38
// Web page content.                                     #39
include (""); #40

Re: Does this Auth script have an unwanted loop?

Quoted text here. Click to load it

Looks you are right. Please consider the examples on
When user provided wrong credentials, the 401 error should be sent

Alexander - PHP/ZendFramework/Ajax blog

Site Timeline