Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself in a project that requires high security – credit card info, social security numbers etc - take a class on database security. It’s becoming more common for sites to keep records of the transactions while offloading payment etc to sites like Paypal, which handle the secure side of the transaction. This approach minimizes risk and cost. That said, what we’re covering today will let you control user access.

Class 8Intro to Databases Authentication and Security HTTP authentication Using PHP scripts to manage user authentication and authorization Using PHP scripts to authenticate users against a database Building session based web database applications to authenticate users SSL – Secure Sockets Layer

Class 8Intro to Databases HTTP authentication HTTP authentication allows you to password protect a directory There are 3 steps 1- Create a access file, which describes which users can access a site. 2- Create a password file, which lists users names and passwords allowed. 3- upload files

Class 8Intro to Databases HTTP authentication 1- Create an access file, which describes which users can access a site. Open the text editor and save a new file called “.htaccess ” ---Basic Format AuthUserFile /full_path/.htpasswd AuthGroupFile /dev/null AuthName “Page Name" AuthType basic require user UserName ---Example AuthUserFile /home/denning/www/ezcontents1_4x/contentdocument/intro_to_db/cl_8/http_pass/.htpasswd AuthGroupFile /dev/null AuthName "Super Secret Page" AuthType basic require user valid-user full_path is the location of the.htpasswd file. This should be outside your normal directories. UserName is the name of users allowed to access the pages. Use valid-user if more than one person can access the directory. Use a specific username, in this case Test, if more only one person can access the directory. There is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").

Class 8Intro to Databases HTTP authentication 2- Create a password file, which lists users names and passwords allowed. Open the text editor and save a new file called “.htpasswd ” Decide on user name and password name: Test password: Class Generate the password, using a tool that encrypts the password (see link form syllabus to ) ---Basic Format UserName:Password ---Example Test:180TuOLtbRWCU It's crucial that you press enter after each line (the last line should be an empty one, not a line with a password entry in it) and that you upload the file as 'text' or 'ascii'. Also, keep in mind that these lines are case- sensitive; you should enter a capital as a capital and a lower-case character as a lower-case character.

Class 8Intro to Databases HTTP authentication 3- upload files.htpasswd should go to a secure location on your website.htaccess should go in the directory you want to protect NOTE: the “full path” in.htaccess needs to match the location of.htpasswd

Class 8Intro to Databases HTTP authentication Multiple users 1- modify.htpasswd user1 :NgFQ1vnnW/tJk user2 :mWaquohh.OY3w user3 :EMt8amgnyuYD2 Using groups 1- create a file called “.htgroup” (similar to.htpasswd) my-users: user1 user2 user3 modify the.htaccess file in the directory to look like this: AuthUserFile /home/john/.htpasswd AuthGroupFile /home/john/.htgroup AuthName “Johns page” AuthType Basic require group my-users

Class 8Intro to Databases Using PHP scripts to manage user authentication and authorization PHP can access the name and password variables submitted through HTTP authentication "); print(“Hi this is the index "); print("You are: $PHP_AUTH_USER "); print("using password: $PHP_AUTH_PW "); print(" "); ?>

Class 8Intro to Databases Using PHP scripts to authenticate users against a database 1- Creating the table User name must be unique

Class 8Intro to Databases Using PHP scripts to authenticate users against a database 1- Make “password” a key 2- Result

Class 8Intro to Databases Protecting password in the database 1- Built in PHP functions crypt (PHP 3, PHP 4 ) crypt -- One-way string encryption (hashing) Description string crypt ( string str [, string salt]) crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. Arguments are a string to be encrypted and an optional salt string to base the encryption on. See the Unix man page for your crypt function for more information. If the salt argument is not provided, one will be randomly generated by PHP.

Class 8Intro to Databases Protecting password in the database 1- Logical Flow Testing if the user is logged in "); print("main page of site - authenticated user only"); print(" "); } ?>

Class 8Intro to Databases Protecting password in the database 1- Logical Flow Testing if the user is logged in "); if($action=="register"){ register_new_user($u_username, $u_password); //say hello print ("Welcome to the site"); }elseif($action=="new_user"){ register_form(); }elseif($action=="login"){ $valid_user=login_user($u_username, $u_password); if(!$valid_user){ // show login with error $error="Sorry, that user name and password aren't found"; login_form($error); }else{ //say hello print ("Hi - we're glad you came back"); } }else{ $error=""; login_form($error); } print(" "); ?>

Class 8Intro to Databases Protecting password in the database 1- Creating a new user function register_form(){ print(" Please register Name: Password: "); }

Class 8Intro to Databases Protecting password in the database 1- Creating a new user 2 function register_new_user($u_username, $u_password){ GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable; // CRYPT OUR PASSWORD $salt=substr($u_username, 0, 2); $crypted_password=crypt($u_password, $salt); /// INSERT RECORD // open connection to host $link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed"); // connect to specific database mysql_select_db($dbName)OR die("error 2 - failure to connect to DB"); // formulate our question $query="INSERT INTO $usersTable (user_name, password) values ('$u_username', '$crypted_password')"; // ask the question $result =mysql_query($query)OR die("error 3 - query failed"); }

Class 8Intro to Databases Protecting password in the database 1- Authenticating an Existing User function login_form($error){ print(" Please Login $error Name: Password: New Users register here "); }

Class 8Intro to Databases Protecting password in the database 1- Authenticating an Existing User 2 function login_user($u_username, $u_password){ GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable; // make sure username and password are filled in if(!isset($u_username)||!isset($u_username)){ return false; } // recreate the encrypted password stored on the database $salt=substr($u_username, 0, 2); $crypted_password=crypt($u_password, $salt); // see if we can find the user in the database // open connection to host $link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed"); // connect to specific database mysql_select_db($dbName)OR die("error 2 - failure to connect to DB"); // formulate our question $query="SELECT password FROM $usersTable WHERE user_name='$u_username' AND password='$crypted_password'"; // ask the question $result =mysql_query($query)OR die("error 3 - query failed"); // if there's exactly one row we've found the user if(mysql_num_rows($result) !=1){ return false; }else{ return true; } }