Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.

Published byJared Timothy Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself."— Presentation transcript:

1 Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself in a project that requires high security – credit card info, social security numbers etc - take a class on database security. It’s becoming more common for sites to keep records of the transactions while offloading payment etc to sites like Paypal, which handle the secure side of the transaction. This approach minimizes risk and cost. That said, what we’re covering today will let you control user access.

2 Class 8Intro to Databases Authentication and Security HTTP authentication Using PHP scripts to manage user authentication and authorization Using PHP scripts to authenticate users against a database Building session based web database applications to authenticate users SSL – Secure Sockets Layer

3 Class 8Intro to Databases HTTP authentication HTTP authentication allows you to password protect a directory There are 3 steps 1- Create a access file, which describes which users can access a site. 2- Create a password file, which lists users names and passwords allowed. 3- upload files

4 Class 8Intro to Databases HTTP authentication 1- Create an access file, which describes which users can access a site. Open the text editor and save a new file called “.htaccess ” ---Basic Format AuthUserFile /full_path/.htpasswd AuthGroupFile /dev/null AuthName “Page Name" AuthType basic require user UserName ---Example AuthUserFile /home/denning/www/ezcontents1_4x/contentdocument/intro_to_db/cl_8/http_pass/.htpasswd AuthGroupFile /dev/null AuthName "Super Secret Page" AuthType basic require user valid-user full_path is the location of the.htpasswd file. This should be outside your normal directories. UserName is the name of users allowed to access the pages. Use valid-user if more than one person can access the directory. Use a specific username, in this case Test, if more only one person can access the directory. There is no group file, so we specify /dev/null (the standard Unix way to say "this file doesn't exist").

5 Class 8Intro to Databases HTTP authentication 2- Create a password file, which lists users names and passwords allowed. Open the text editor and save a new file called “.htpasswd ” Decide on user name and password name: Test password: Class Generate the password, using a tool that encrypts the password (see link form syllabus to http://www.euronet.nl/~arnow/htpasswd/ ) ---Basic Format UserName:Password ---Example Test:180TuOLtbRWCU It's crucial that you press enter after each line (the last line should be an empty one, not a line with a password entry in it) and that you upload the file as 'text' or 'ascii'. Also, keep in mind that these lines are case- sensitive; you should enter a capital as a capital and a lower-case character as a lower-case character.

6 Class 8Intro to Databases HTTP authentication 3- upload files.htpasswd should go to a secure location on your website.htaccess should go in the directory you want to protect NOTE: the “full path” in.htaccess needs to match the location of.htpasswd

7 Class 8Intro to Databases HTTP authentication Multiple users 1- modify.htpasswd user1 :NgFQ1vnnW/tJk user2 :mWaquohh.OY3w user3 :EMt8amgnyuYD2 Using groups 1- create a file called “.htgroup” (similar to.htpasswd) my-users: user1 user2 user3 modify the.htaccess file in the directory to look like this: AuthUserFile /home/john/.htpasswd AuthGroupFile /home/john/.htgroup AuthName “Johns page” AuthType Basic require group my-users

8 Class 8Intro to Databases Using PHP scripts to manage user authentication and authorization PHP can access the name and password variables submitted through HTTP authentication "); print(“Hi this is the index "); print("You are: $PHP_AUTH_USER "); print("using password: $PHP_AUTH_PW "); print(" "); ?>

9 Class 8Intro to Databases Using PHP scripts to authenticate users against a database 1- Creating the table User name must be unique

10 Class 8Intro to Databases Using PHP scripts to authenticate users against a database 1- Make “password” a key 2- Result

11 Class 8Intro to Databases Protecting password in the database 1- Built in PHP functions crypt (PHP 3, PHP 4 ) crypt -- One-way string encryption (hashing) Description string crypt ( string str [, string salt]) crypt() will return an encrypted string using the standard Unix DES-based encryption algorithm or alternative algorithms that may be available on the system. Arguments are a string to be encrypted and an optional salt string to base the encryption on. See the Unix man page for your crypt function for more information. If the salt argument is not provided, one will be randomly generated by PHP.

12 Class 8Intro to Databases Protecting password in the database 1- Logical Flow Testing if the user is logged in "); print("main page of site - authenticated user only"); print(" "); } ?>

13 Class 8Intro to Databases Protecting password in the database 1- Logical Flow Testing if the user is logged in "); if($action=="register"){ register_new_user($u_username, $u_password); //say hello print ("Welcome to the site"); }elseif($action=="new_user"){ register_form(); }elseif($action=="login"){ $valid_user=login_user($u_username, $u_password); if(!$valid_user){ // show login with error $error="Sorry, that user name and password aren't found"; login_form($error); }else{ //say hello print ("Hi - we're glad you came back"); } }else{ $error=""; login_form($error); } print(" "); ?>

14 Class 8Intro to Databases Protecting password in the database 1- Creating a new user function register_form(){ print(" Please register Name: Password: "); }

15 Class 8Intro to Databases Protecting password in the database 1- Creating a new user 2 function register_new_user($u_username, $u_password){ GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable; // CRYPT OUR PASSWORD $salt=substr($u_username, 0, 2); $crypted_password=crypt($u_password, $salt); /// INSERT RECORD // open connection to host $link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed"); // connect to specific database mysql_select_db($dbName)OR die("error 2 - failure to connect to DB"); // formulate our question $query="INSERT INTO $usersTable (user_name, password) values ('$u_username', '$crypted_password')"; // ask the question $result =mysql_query($query)OR die("error 3 - query failed"); }

16 Class 8Intro to Databases Protecting password in the database 1- Authenticating an Existing User function login_form($error){ print(" Please Login $error Name: Password: New Users register here "); }

17 Class 8Intro to Databases Protecting password in the database 1- Authenticating an Existing User 2 function login_user($u_username, $u_password){ GLOBAL $hostname, $dbUsername, $dbPassword, $dbName, $usersTable; // make sure username and password are filled in if(!isset($u_username)||!isset($u_username)){ return false; } // recreate the encrypted password stored on the database $salt=substr($u_username, 0, 2); $crypted_password=crypt($u_password, $salt); // see if we can find the user in the database // open connection to host $link =MYSQL_CONNECT($hostname, $dbUsername, $dbPassword) OR die("error 1 - DB connection failed"); // connect to specific database mysql_select_db($dbName)OR die("error 2 - failure to connect to DB"); // formulate our question $query="SELECT password FROM $usersTable WHERE user_name='$u_username' AND password='$crypted_password'"; // ask the question $result =mysql_query($query)OR die("error 3 - query failed"); // if there's exactly one row we've found the user if(mysql_num_rows($result) !=1){ return false; }else{ return true; } }

Download ppt "Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself."

Similar presentations

LIS651 lecture 3 taming PHP Thomas Krichel 2007-04-15.

LIS651 lecture 3 taming PHP Thomas Krichel
LIS651 lecture 3 taming PHP Thomas Krichel 2005-11-12.

LIS651 lecture 3 taming PHP Thomas Krichel
LIS651 lecture 3 functions & sessions Thomas Krichel 2008-11-08.

LIS651 lecture 3 functions & sessions Thomas Krichel
Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.

Creating a Login Process Creating a users table and a login form that denies access to unauthorized users.
09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.

09/04/2015Unit 2 (b) Back-Office processes Unit 2 Assessment Criteria (b) 10 marks.
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.

1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.

Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
1 Chapter 5 – Handling HTML Controls in Web Pages spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.

1 Chapter 5 – Handling HTML Controls in Web Pages spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.

NMD202 Web Scripting Week5. What we will cover today PHPmyAdmin Debugging – using print_r Modifying Data PHP (cont.) 4D Methodology File and IO operations.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Manipulating MySQL Databases with PHP. PHP and mySQL2 Objectives Connect to MySQL from PHP Learn how to handle MySQL errors Execute SQL statements with.

Manipulating MySQL Databases with PHP. PHP and mySQL2 Objectives Connect to MySQL from PHP Learn how to handle MySQL errors Execute SQL statements with.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Web Programming Week 10 Old Dominion University Department of Computer Science CS 418/518 Fall 2010 Martin Klein 11/02/10.

Web Programming Week 10 Old Dominion University Department of Computer Science CS 418/518 Fall 2010 Martin Klein 11/02/10.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.
1Computer Sciences Department Princess Nourah bint Abdulrahman University.

1Computer Sciences Department Princess Nourah bint Abdulrahman University.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.

Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Similar presentations

Ads by Google