PHP 5 - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

PHP 5

Description:

CREATE TABLE password. name VARCHAR (20), passwd VARCHAR (20), ID INT NOT NULL ... Create a Login Form form method='POST' action='doLogin.php' Username: ... – PowerPoint PPT presentation

Number of Views:127
Avg rating:3.0/5.0
Slides: 29
Provided by: sit4
Category:
Tags: php | create

less

Transcript and Presenter's Notes

Title: PHP 5


1
PHP 5
  • SI 539
  • Fall 2004
  • Prof. Sandra Bartlett

2
New Stuff for Today
  • Authentication
  • Sessions

3
User Authentication
  • Have login name and password stored somewhere
  • Get login and password from user
  • Check if login and password from user match
    stored login name and password
  • If a match is found do something (e.g., enter
    site, show data, etc.)
  • Else do something else (e.g., let user try
    again, refuse site entry, etc.)

4
Make a password table
  • Login to projects machine
  • Login to database
  • Make password table
  • CREATE TABLE password
  • ( name VARCHAR (20), passwd VARCHAR (20),
    ID INT NOT NULL AUTO_INCREMENT, PRIMARY KEY
    (ID)
  • )

5
Or
  • add login and password columns to your table
  • (which you do depends on the structure of your
    database)

6
Password Table Security
  • Encrypt all passwords
  • Choose a "salt" to use for encrypting all
    passwords
  • Use crypt() (PHP string function)

7
Create a Login Form
  • ltform method"POST" action"doLogin.php"gtUsernam
    e
  • ltinput type"text" name"name" size10/gt
  • ltbr/gt
  • Password
  • ltinput type"password" name"passwd"
    size10/gt
  • ltbr/gt
  • ltinput type"submit" name"submit"
    value"Login"/gt
  • lt/formgt

8
AuthenticatedoLogin.php
  • lt?php
  • include("auth.inc")
  • doDBconnect()
  • cryptPass crypt(_POSTpasswd, salt)
  • result mysql_query("SELECT ID FROM password
  • WHERE name\"_POSTname\" AND
  • passwd \"cryptPass\"")
  • if (mysql_fetch_array(result))
  • echo("Successfully Logged In!
  • lta href\"goodStuff.php\"gtEnter
    Sitelt/agt")
  • ?gt

9
Watch it Work!
  • http//projects.si.umich.edu/bartlett/authForm.ht
    ml

10
Alternative login form
  • Let the browser make your login form!
  • header('WWW-Authenticate Basic
  • realm"My Project Name"')
  • header('HTTP/1.0 401 Unauthorized')

11
How it fits in
  • if (!isset(_SERVER'PHP_AUTH_USER'))
  • header('WWW-Authenticate Basic realm"My
    Project Name"')
  • header('HTTP/1.0 401 Unauthorized')
  • echo 'Text to send if user hits Cancel
    button'
  • // if
  • else
  • // use _SERVER'PHP_AUTH_USER' and
  • // _SERVER'PHP_AUTH_PW'
  • // like you would use _POSTname and
    _POSTpasswd
  • // and do what you want to do if they have
    attempted a login
  • // else

12
Watch it Work!
  • http//projects.si.umich.edu/bartlett/sysAuth.php

13
Which to Choose?
  • Make your own form
  • Can have site look and feel users know it is
    part of your site
  • Use browser form
  • Less code for you to write
  • Connection with your site is lost pops up,
    different look
  • Your design decision

14
Oops!
  • This authentication works fine for the page it is
    on, but everything is forgotten when the user
    goes to a new page (a "feature" of web pages)

15
Why Move Information from Page to Page
  • Keep track of authentication across pages (login
    once)
  • Use browser information to customize pages (check
    browser once)
  • Personalize each page (ask user for name once and
    use it on each page)
  • Fill a form with information from the previous
    page

16
How To?
  • Add info to the URL of the next page (user can
    change it, limited size)
  • Forms / hidden fields (user has to click the
    submit button to go to another page)
  • Cookies (most convenient, most secure, but user
    can refuse them)
  • Sessions

17
What is a cookie?
  • Information for a web site that is saved on a
    users hard drive (text only)
  • Stores user data between site pages and site
    visits
  • Number of visits
  • Login and password info
  • User preferences
  • Shopping cart info
  • etc

18
Cookie parameters
  • The name of the cookie,
  • The value of the cookie,
  • The expiration date of the cookie,
  • The path the cookie is valid for,
  • The domain the cookie is valid for,
  • The need for a secure connection to exist to use
    the cookie.
  • (data is often encrypted, so you can't mess with
    it)

19
What is a Session?
  • The time the user spends at your Web site
  • Often want info to follow the user as they use
    your site like authentication
  • PHP session object
  • Save info in session variables and pass it from
    page to page

20
How does a PHP session work?
  • Assigns an ID number
  • Stores ID and session variable values in a file
    on the server (not the client, like cookies)
  • Passes the session ID to every page (so the
    server knows what file to get info from
  • Cookie
  • In the URL
  • Gets variables from server file for each page

21
How should you handle Sessions?
  • projects
  • PHP version 4.3.2
  • register_globals off
  • session.auto_start off
  • session.use_trans_sid off
  • Skinner
  • ??? (I don't have an account on Skinner)
  • To find out, make a .php file with the following
    code and bring it up in a browser
  • lt?php
  • phpinfo()
  • ?gt
  • Other servers ???? (See PHP documentation)

22
Use _SESSION to Preserve Data Across Web Pages
in a Site
  • Improved security
  • Improved code readability
  • Don't need to use
  • session_register()
  • session_unregister()
  • session_is_registered()

23
Sessions on Projects (1)
  • Put this line of code at the beginning of every
    page that needs the session variables BEFORE
    ANYTHING IS PRINTED
  • session_start()

24
When is something printed
  • Any HTML
  • Wrong!!!
  • lthtmlgt
  • lt?php session_start() ?gt
  • Right
  • lt?php session_start() ?gt
  • lthtmlgt
  • Any echo or print
  • Wrong!!!!
  • lt?php echo "something" session_start() ?gt
  • Right
  • lt?php session_start() echo "something" ?gt

25
Sessions on Projects (2)
  • Create a new session variable
  • _SESSION'count' 0
  • Use a session variable
  • _SESSION'count' 29
  • _SESSION'count'
  • echo _SESSION'count'
  • Destroy a session variable
  • unset(_SESSION'count')
  • WARNING do NOT unset(_SESSION)

26
Example
  • http//projects.si.umich.edu/bartlett/junk.php

27
Security
  • Attacks on session IDs
  • Interception
  • Prediction
  • Brute-force
  • Protection against these attacks
  • Encryption (require SSL)
  • Strong algorithm for session ID generation
  • Long session ID and few concurrent sessions

28
Cookies
  • http//www.phpfreaks.com/tutorials/120/0.php
Write a Comment
User Comments (0)
About PowerShow.com