current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite

I am using the following code from a book that is explaining how to do database authentication via PHP however I can not get it to work. I continuously get the login prompt and am never allowed into my application. The only thing I modified is the "realm" and field names in order to match up with my database.

Database configuration and connection scripts are external and not included below but I know they are correct as I have no problem inserting or selecting data from my database.

Also, I know mysql is deprecated but I am working on a quick project that will be upgraded once I have time to learn the newer code. Please for now, respond based on mysql in that respect.

Finally this is a very small personal project and I know there are a lot of security errors...that is why I am learning. For now, I am starting with the basics and just trying to get the code to work and then next I plan to learn sessions, encryption, etc.

Please go easy on me :) Thanks

<?php

require_once 'database_connection.php';

if (!isset($_SERVER['PHP_AUTH_USER']) ||
    !isset($_SERVER['PHP_AUTH_PW'])) {
  header('HTTP/1.1 401 Unauthorized');
  header('WWW-Authenticate: Basic realm="The Social Site"');
  exit("You need a valid username and password to be here. " .
       "Move along, nothing to see.");
}

// Look up the user-provided credentials
$query = sprintf("SELECT user_id, username FROM fbo_users" .
    "WHERE username = '%s' AND " .
    "       password = '%s';",
            mysql_real_escape_string(trim($_SERVER['PHP_AUTH_USER'])),
    mysql_real_escape_string(
        crypt(trim($_SERVER['PHP_AUTH_PW']), 
            $_SERVER['PHP_AUTH_USER'])));

$results = mysql_query($query);

if (mysql_num_rows($results) == 1) {
  $result = mysql_fetch_array($results);
  $current_user_id = $result['user_id'];
  $current_username = $result['username'];
} else {
  header('HTTP/1.1 401 Unauthorized');
  header('WWW-Authenticate: Basic realm="FBOtracker"');
  exit("You need a valid username and password to be here. " .
       "Move along, nothing to see.");
}

?>
share|improve this question
    
echo $query and try to run it manually using phpMyAdmin, command line MySQL prompt or similar. Does it work? If it does: inpsect your PHP code to find out the issue. If it doesn't: edit your question to include the error message you're getting. –  Amal Murali Mar 21 at 15:36
    
Is the problem with the PHP authentication rather than MySQL? I've never used this method of authentication (10+ years of PHP, and it's new to me), so why not try an HTML form and post variables and see if that fixes the issue? –  fred2 Mar 21 at 15:42
    
Alternatively, is your encrypted username/password encrypted the same way as the data in the database? If it isn't it'll never work. Try echoing your SQL to see if what is being generated is actually what you want. –  fred2 Mar 21 at 15:44
1  
And here I went and changed my name to Fred -ii- after seeing another some time back. How many Fred's are there on SO? lol @fred2 –  Fred -ii- Mar 21 at 16:06
    
echo $query doesn't do anything. I am basically stuck inside the if statement. I enter known database credentials and it continues to show the login prompt and doesn't allow access to the page I am protecting. I am using "The Missing Manual" as my learning guide. –  user2740295 Mar 21 at 16:56

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.