How to set the username/password when using http authentication?

Hi all,

I'm working on a Joomla installation with various components, and one
of them needs to have one page (with an entry form) password
protected. (Joomla caters for protection of the entire component, but
that's not what I want)

I found this code on php.net:

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
} else {
echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your
password.</p>";
}
?>

And it does indeed work if I use it on the page with the form, in the
sense that a login thingy pops up.
What I don't know though, is how I set the username and password to
check against, so that I can give some people permission to see that
form.

Probably something really simple, but I don't see it...

If possible, I'd like it to check against usernames that are already
in the database, and which have certain rights, but I'm happy already
if I can just set any username/password.

--
Els http://locusmeus.com/

Els <els.aNOSPAM@tiscali.nl> wrote:

> Hi all,
>
> I'm working on a Joomla installation with various components, and one
> of them needs to have one page (with an entry form) password
> protected. (Joomla caters for protection of the entire component, but
> that's not what I want)
>
> I found this code on php.net:
>
> <?php
> if (!isset($_SERVER['PHP_AUTH_USER'])) {
> header('WWW-Authenticate: Basic realm="My Realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo 'Text to send if user hits Cancel button';
> exit;
> } else {
> echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
> echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your
> password.</p>";
> }
> ?>
>
> And it does indeed work if I use it on the page with the form, in the
> sense that a login thingy pops up.
> What I don't know though, is how I set the username and password to
> check against, so that I can give some people permission to see that
> form.
>
> Probably something really simple, but I don't see it...
>
> If possible, I'd like it to check against usernames that are already
> in the database, and which have certain rights, but I'm happy already
> if I can just set any username/password.


Well, just check them against the database (mysql?):

<?php
$verified = false;
if(isset($_SERVER['PHP_AUTH_USER'])){
$user = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
$result = mysql_query("SELECT `passwd` FROM `tablename` WHERE `user` =
'$user'");
if(mysql_num_rows($result) == 1){
$row = mysql_fetch_assoc($result);
if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
}
}
if(!$verfied){
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'Text to send if user hits Cancel button';
exit;
}
?>

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

Rik wrote:
> Els <els.aNOSPAM@tiscali.nl> wrote:
>
[using http authentication to protect one page of a cms component]
>> What I don't know though, is how I set the username and password to
>> check against, so that I can give some people permission to see that
>> form.
>>
>> Probably something really simple, but I don't see it...
>>
>> If possible, I'd like it to check against usernames that are already
>> in the database, and which have certain rights, but I'm happy already
>> if I can just set any username/password.
>
> Well, just check them against the database (mysql?):
>
> <?php
> $verified = false;
> if(isset($_SERVER['PHP_AUTH_USER'])){
> $user = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
> $result = mysql_query("SELECT `passwd` FROM `tablename` WHERE `user` =
> '$user'");
> if(mysql_num_rows($result) == 1){
> $row = mysql_fetch_assoc($result);
> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
> }
> }
> if(!$verfied){
> header('WWW-Authenticate: Basic realm="My Realm"');
> header('HTTP/1.0 401 Unauthorized');
> echo 'Text to send if user hits Cancel button';
> exit;
> }
> ?>

I can't seem to get that one to work.
The passwords in the database are encoded though, would that cause the
trouble?



--
Els http://locusmeus.com/

Now playing: Mr. Big - 30 Days In The Hole

Els <els.aNOSPAM@tiscali.nl> wrote:
> Rik wrote:
>> Els <els.aNOSPAM@tiscali.nl> wrote:
>>
> [using http authentication to protect one page of a cms component]
>>> If possible, I'd like it to check against usernames that are already
>>> in the database, and which have certain rights, but I'm happy already
>>> if I can just set any username/password.
>>
>> Well, just check them against the database (mysql?):
>>
>> <?php
>> $verified = false;
>> if(isset($_SERVER['PHP_AUTH_USER'])){
>> $user = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
>> $result = mysql_query("SELECT `passwd` FROM `tablename` WHERE `user` =
>> '$user'");
>> if(mysql_num_rows($result) == 1){
>> $row = mysql_fetch_assoc($result);
>> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
>> }
>> }
>> if(!$verfied){
>> header('WWW-Authenticate: Basic realm="My Realm"');
>> header('HTTP/1.0 401 Unauthorized');
>> echo 'Text to send if user hits Cancel button';
>> exit;
>> }
>> ?>
>
> I can't seem to get that one to work.
> The passwords in the database are encoded though, would that cause the
> trouble?


Indeed, you'd have to use similar encoding on $_SERVER['PHP_PW']. There
are various functions and encodings available to you, you'll have to know
which is used. (Often just md5 or sha1.)

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

Rik wrote:
> Els <els.aNOSPAM@tiscali.nl> wrote:
>> Rik wrote:
>>> Els <els.aNOSPAM@tiscali.nl> wrote:
>>>
>> [using http authentication to protect one page of a cms component]
>>>> If possible, I'd like it to check against usernames that are already
>>>> in the database, and which have certain rights, but I'm happy already
>>>> if I can just set any username/password.
>>>
>>> Well, just check them against the database (mysql?):
>>>
>>> <?php
>>> $verified = false;
>>> if(isset($_SERVER['PHP_AUTH_USER'])){
>>> $user = mysql_real_escape_string($_SERVER['PHP_AUTH_USER']);
>>> $result = mysql_query("SELECT `passwd` FROM `tablename` WHERE `user` =
>>> '$user'");
>>> if(mysql_num_rows($result) == 1){
>>> $row = mysql_fetch_assoc($result);
>>> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
>>> }
>>> }
>>> if(!$verfied){
>>> header('WWW-Authenticate: Basic realm="My Realm"');
>>> header('HTTP/1.0 401 Unauthorized');
>>> echo 'Text to send if user hits Cancel button';
>>> exit;
>>> }
>>> ?>
>>
>> I can't seem to get that one to work.
>> The passwords in the database are encoded though, would that cause the
>> trouble?
>
> Indeed, you'd have to use similar encoding on $_SERVER['PHP_PW']. There
> are various functions and encodings available to you, you'll have to know
> which is used. (Often just md5 or sha1.)

It's md5 indeed, but I have no idea how to incorporate that in the
above piece of script..

--
Els http://locusmeus.com/

Now playing: Mr. Big - 30 Days In The Hole

Els <els.aNOSPAM@tiscali.nl> wrote:

> Rik wrote:
>> Els <els.aNOSPAM@tiscali.nl> wrote:
>>> I can't seem to get that one to work.
>>> The passwords in the database are encoded though, would that cause the
>>> trouble?
>>
>> Indeed, you'd have to use similar encoding on $_SERVER['PHP_PW']. There
>> are various functions and encodings available to you, you'll have to
>> know
>> which is used. (Often just md5 or sha1.)
>
> It's md5 indeed, but I have no idea how to incorporate that in the
> above piece of script..

Change:
>>>> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
To:
if($row['passwd']==md5($_SERVER['PHP_PW'])) $verified = true;

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

Rik wrote:

> Change:
>>>>> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
> To:
> if($row['passwd']==md5($_SERVER['PHP_PW'])) $verified = true;

Still won't work.
It's most likely something I'm doing wrong, like where in the script I
place the lot, but I can't figure out what it is.
Thanks for your help anyway, I'll keep the code so I may use it if I
need to do the same thing some time outside Joomla.


--
Els http://locusmeus.com/

Els <els.aNOSPAM@tiscali.nl> wrote:

> Rik wrote:
>
>> Change:
>>>>>> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
>> To:
>> if($row['passwd']==md5($_SERVER['PHP_PW'])) $verified = true;
>
> Still won't work.
> It's most likely something I'm doing wrong, like where in the script I
> place the lot, but I can't figure out what it is.
> Thanks for your help anyway, I'll keep the code so I may use it if I
> need to do the same thing some time outside Joomla.

If it doesn't work:

1. Enable error_reporting if it isn't on already
(ini_set('display_errors',true);error_reporting(E_ ALL);

2. var_dump() the variables you are using in strategic places, to check
wether they contain what you think they should. For instance, right before
the above line you could use
var_dump($row['passwd'],$_SERVER['PHP_PW'],md5($_SERVER['PHP_PW']));

Keep in mind that for headers to work, they have to be sent before any
other output. Seems to go OK if you get a prompt for a username & password
though.

On a side note: you do know I made the table- and fieldnames up, as I have
no idea how they're called in Joomla?
--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel

Rik wrote:

> Els <els.aNOSPAM@tiscali.nl> wrote:
>
>> Rik wrote:
>>
>>> Change:
>>>>>>> if($row['passwd']==$_SERVER['PHP_PW']) $verified = true;
>>> To:
>>> if($row['passwd']==md5($_SERVER['PHP_PW'])) $verified = true;
>>
>> Still won't work.
>> It's most likely something I'm doing wrong, like where in the script I
>> place the lot, but I can't figure out what it is.
>> Thanks for your help anyway, I'll keep the code so I may use it if I
>> need to do the same thing some time outside Joomla.
>
> If it doesn't work:
>
> 1. Enable error_reporting if it isn't on already
> (ini_set('display_errors',true);error_reporting(E_ ALL);
>
> 2. var_dump() the variables you are using in strategic places, to check
> wether they contain what you think they should. For instance, right before
> the above line you could use
> var_dump($row['passwd'],$_SERVER['PHP_PW'],md5($_SERVER['PHP_PW']));

I have no idea where I can put those two lines, as any place I tried
so far gives me an unexpected ';' for the display_errors line.
I then used the var_dump line by itself, but of course, if I put it in
the 'not verified' part, it will display only if I press Cancel. The
output then gives NULL NULL string(32) "[my md5 password strong]", but
I think that doesn't mean much, because of the Cancel button.

> Keep in mind that for headers to work, they have to be sent before any
> other output.

That was my first thought too, but since it is not a clean cut one
page php script, there is no place I can pinpoint as 'before any other
output'.

> Seems to go OK if you get a prompt for a username & password
> though.

Yes, but that's all I get...
For now, I'll have to dismiss this mission as too complicated for me.
Thanks again for your help, but I'll have to find different ways to go
about what I need to accomplish.

> On a side note: you do know I made the table- and fieldnames up, as I have
> no idea how they're called in Joomla?

Yes :-)

--
Els http://locusmeus.com/

Now playing: Live - [Untitled]

Els <els.aNOSPAM@tiscali.nl> wrote:
>> If it doesn't work:
>>
>> 1. Enable error_reporting if it isn't on already
>> (ini_set('display_errors',true);error_reporting(E_ ALL);

> I have no idea where I can put those two lines, as any place I tried
> so far gives me an unexpected ';' for the display_errors line.

Don't add the first '(' :-)
So, literally:
ini_set('display_errors',true);
error_reporting(E_ALL)

>> 2. var_dump() the variables you are using in strategic places, to check
>> wether they contain what you think they should. For instance, right
>> before
>> the above line you could use
>> var_dump($row['passwd'],$_SERVER['PHP_PW'],md5($_SERVER['PHP_PW']));
>
> I then used the var_dump line by itself, but of course, if I put it in
> the 'not verified' part, it will display only if I press Cancel. The
> output then gives NULL NULL string(32) "[my md5 password strong]", but
> I think that doesn't mean much, because of the Cancel button.

Well, you add it exactly before checking wether $row['passwd'] ==
md5($_SERVER['PHP_PW'])

> For now, I'll have to dismiss this mission as too complicated for me.
> Thanks again for your help, but I'll have to find different ways to go
> about what I need to accomplish.

Well, working within other unknown code as a beginner can be very, very
tricky. If you still feel like it, you might want to try it in a seperate
file first. Just have 1 preset username & password, check if you can get
that to work, and only then try to expand & add it in Joomla.

>> On a side note: you do know I made the table- and fieldnames up, as I
>> have
>> no idea how they're called in Joomla?
>
> Yes :-)

Good, just checking ;)

--
Rik Wasmus
Posted on Usenet, not any forum you might see this in.
Ask Smart Questions: http://tinyurl.com/anel