Robert Cox wrote:
Is it possible to use the "$_SERVER['PHP_AUTH_USER'];" construct in a URL
forwarded site? I am trying to find the authorised user id so that I can
access an SQL database with it. Anyone got some ideas?
PHP looks like this....
<?php
//Get User
$user = $_SERVER['PHP_AUTH_USER'];
// Get User type
$db = mysql_connect(localhost, ....., .....) or die("Can't connect to
database: ".mysql_error());
mysql_select_db(................) or die("Can't select database:
".mysql_error());
You should always run mysql_real_escape_string() on any variables that
you use in an SQL statement.
$query = "SELECT * FROM user WHERE staffid LIKE $user";
You need to make sure that you surround your string with quotes. This
is only if the $user is a string, if it is an int/number, the forget the
quotes.
$query = "SELECT * FROM user WHERE staffid LIKE '$user'";
The following should always reference your above DB resource $db
Plus, this isn't how you should be checking for a valid user.
The following would only hit the die() statement if there was an error
with the SQL statement. Not if it didn't return any results.
mysql_query($query, $db) or die('Not a valid user: '.mysql
$result = mysql_query($query) or die ('Not a valid User: ' .
mysql_error());
....
?>
Note: You need to make sure that magic_quotes_gpc is not enabled. That
will mess with doing things this way.
Note: I am assuming that you will only match one and only one. If that
is the case you need to switch the like to an = instead.
staffid = '{$user}'
don't worry about the curly braces, they are for PHP to identify the
variable. They wont show up in your actual SQL statement.
All that being said, try this instead.
<?php
// Get User type
$db = mysql_connect(localhost, ....., .....) or
die("Can't connect to database: ".mysql_error());
mysql_select_db(................) or
die("Can't select database: ".mysql_error());
//Get User
$user = mysql_real_escape_string(@$_SERVER['PHP_AUTH_USER'], $db);
$query = "SELECT * FROM user WHERE staffid = '{$user}'";
$result = mysql_query($query, $db) or
die('Error with query: '.mysql_error());
if ( mysql_num_rows($result) == 0 ) {
// No results found, assume user does not exist
} else {
// User exists, do something about it.
}
....
?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php