Re: WWW-Authentication and Postgresql [sample_code_inline]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



hi,

here is how I handle a basic authentication form against postgresql
put your dbname, user and passwd on $dbcredentials
put your table on $dbtable and the user and passwd cols on $dbid and $dbpw

see you,
teixi.

ps: so in my case the testdb contains a test_table where the user column is called test_login and the passwd column is test_passw

<?php
	$dbcredentials= "dbname=testdb user=testuser password=xxxxxx";
	$dbtable = "test_table";
	$dbid= "test_login";
	$dbpw= "test_passw";
	function authy($inside) {
		echo "<form action=\"$PHP_SELF\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\">\n";
		echo "Login: <input type=\"text\" name=\"authy_user\" size=\"23\" maxlength=\"23\"><br>\n";
		echo "Password: <input type=\"password\" name=\"authy_pw\" size=\"20\" maxlength=\"20\"><br>\n\n";
		echo "<input name=\"Submit\" value=\"Submit\" type=\"submit\">\n";
		echo "<input name=\"Reset\" value=\"Reset\" type=\"reset\">\n";
		echo "</form>\n";
		if($inside=='-1') { echo "<strong><p>Invalid credentials.</p></strong>"; }
		exit;
		}
        if( $authy_user=='' || $authy_pw=='' ) {
        	$inside = 0;
                authy($inside);
        } else {
                $conn = pg_pconnect($dbcredentials) or die ('DB Unavailable');
                $login = strtolower($authy_user);
                $data = "SELECT * FROM $dbtable WHERE $dbid='$login' AND $dbpw='$authy_pw'";
                $query = pg_exec($conn, $data) or die ('Unable to execute query');
        if (!pg_numrows($query)) {
        	$inside = -1;
		authy($inside);
        } else {
        	$inside = 1;
		pg_close($conn);
		}
        }
echo "<strong><p>You're Inside :-)</p></strong><br>";
?>



On Thu, 27 Dec 2001 10:51:03 -0500 (EST)
Vince Vielhaber <vev@xxxxxxxxxxx> was typing:

> On 27 Dec 2001, Andrew McMillan wrote:
> 
> > > <snip>
> > > A couple of quick gotchas.  1) make sure you filter out all unwanted
> > > characters so someone can't execute sql calls inside of a username or
> > > password.  2) On failure make sure you send a 401 to the browser just
> > > like you do initially when asking for the password to clear out the old
> > > one - you can also use this to handle logouts.
> 
> <snip>
> 
> > I think that what Vince was getting at particularly, in replying to my
> > post suggesting not to use database-level users, was that if you are not
> > using database level users then there is a greater risk of this being a
> > problem.  I would tend to dispute that - I think this is a risk
> > _anytime_.  Paranoia rules.
> 
> Nope, all I was saying was to filter out all input from the browser.
> you don't want any apostrophes, or probably anything other than a-z,
> A-Z, 0-9.  and to use the 401 to clear out failures.
> 
> Vince.



[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux