Dynamic authentication

A far better method to authenticate users is to compare their credentials to a members database table. By storing all your data in a database, you can easily add, edit, and revoke access permissions using PHP pages and a little SQL.

Execute this query at your MySQL prompt to create the table necessary to store our authentication details: 

CREATE TABLE userauth (ID INT NOT NULL AUTO_INCREMENT PRIMARY KEY, Username VARCHAR(30), Password VARCHAR(30));

Even if you skipped the chapter on databases, you should be able to make out that the above command will create a table named "userauth" which contains three data fields in each row - an ID integer, a variable length character field "Username", and a variable length character field "Password" - just enough information to authenticate users. The ID is there to identify rows uniquely; we can refer to an authenticated user as a number, rather than as a user and password.

To allow users to add themselves to the authentication list, create a new file, addauth.php, and enter the following code: 

<html>
<body>
<?php
    if (isset($_POST['username'])) {
        $db = mysqli_connect("localhost", "phpuser", "alm65z", "phpdb");
        $username = mysqli_real_escape_string($db, $_POST['username']);
        $password = mysqli_real_escape_string($db, $_POST['password']);
        mysqli_query($db, "INSERT INTO userauth (Username, Password) VALUES ('$username', '$password');");
        print "Welcome to the system, {$_POST['username']}!";
    } else {
?>
<form method="post" action="addauth.php">
Username: <input type="text" name="username" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value=" Add User ">
</form>

<?php }
?>
</body>
</html>

Note that I am using the database "phpdb". You may need to create this - use "create database phpdb;" from the MySQL command prompt.

With a call to mysqli_query() near the top of the script, the new username and password is inserted into our table and a short confirmation message is sent back to the client.

Try running the script just by itself - you can monitor changes to your userauth database table from the MySQL command line by using the MySQL command 

SELECT * FROM userauth;

Now that users can be dynamically added using addauth.php, let's modify our original auth.php script to check input against what we have in our database. 

// amend the following line
if (($_SERVER['PHP_AUTH_USER'] == 'paul') && ($_SERVER['PHP_AUTH_PW'] == 'hudson')) {
// to this...
$db = mysqli_connect("localhost", "phpuser", "alm65z", "phpdb");
$username = mysqli_real_escape_string($db, $_SERVER['PHP_AUTH_USER']);
$password = mysqli_real_escape_string($db, $_SERVER['PHP_AUTH_PW']);
$result = mysqli_query($db, "SELECT ID FROM userauth WHERE Username = '$username' AND Password = '$password';");

if (mysqli_num_rows($result)) {

Rather than comparing the username and password to prewritten values, we now check whether they are found in our userauth table. If mysqli_num_rows($result) returns one or more rows, it means we have at least one member with the credentials provided, so we should allow them access.

 

Want to learn PHP 7?

Hacking with PHP has been fully updated for PHP 7, and is now available as a downloadable PDF. Get over 1200 pages of hands-on PHP learning today!

If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Sending mail >>

Previous chapter: Authentication over HTTP

Jump to:

 

Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.