Article
About the Author
Harry Fuecks
Harry has been working in corporate IT since 1994, with everything from start-ups to Fortune 100 companies. Outside of office hours he runs phpPatterns: a site dedicated to software design with PHP that aims to raise standards of PHP development. He also maintains Dynamically Typed: SitePoint's PHP blog.
The PHP Anthology Volume 2, Chapter 1 - Access Control
One of the side effects of building your site with PHP, as opposed to plain HTML, is that you'll be building dynamic Web applications rather than static Web pages. Your site will let you "do" things that weren't possible with plain HTML. But how can you ensure that only you, or those to whom you give permission, are able to "do things," and prevent the Internet's raging hordes from running riot on your site?
In this chapter, we'll be looking at the mechanisms you can employ with PHP to build authentication systems and control access to the parts of your site you regard as private.
One word of warning before I go any further: any system you build, which involves the transfer of data from a Web page over the Internet, will send that information in clear text by default (Web servers that require Secure Socket Layer (SSL) connections will safely encrypt the data during transit. This is the best way to protect sensitive data in today's Web applications). What this means is that if someone is "listening in" on the network between the client's Web browser and the Web server, which is possible using a tool known as a packet sniffer, they will be able to read the user name and password sent via your form. The chances of this happening are fairly small, as typically only trusted organizations like ISPs have the access require to intercept packets. However, there is still a risk, and it's one you should take seriously.
In addition to strategies for building access control systems for your site, in this chapter you'll find plenty of references to useful information (there are more in Appendix C, Security Checklist). I can't stress enough the importance of a little healthy paranoia in building Web-based applications. The SitePoint Forums frequently receive visits from would-be Website developers who got their fingers burned when it came to site security.
This chapter requires the following MySQL tables, in addition to the user table from Chapter 9, Web Page Elements. Note that you'll find the SQL code to create all of these, along with sample data, in the code archive in the sql/ directory.
First, you'll need a table for storing temporary sign up information:
CREATE TABLE signup (
signup_id INT(11) NOT NULL AUTO_INCREMENT,
login VARCHAR(50) NOT NULL DEFAULT '',
password VARCHAR(50) NOT NULL DEFAULT '',
email VARCHAR(50) DEFAULT NULL,
firstName VARCHAR(50) DEFAULT NULL,
lastName VARCHAR(50) DEFAULT NULL,
signature TEXT NOT NULL,
confirm_code VARCHAR(40) NOT NULL DEFAULT '',
created INT(11) NOT NULL DEFAULT '0',
PRIMARY KEY (signup_id),
UNIQUE KEY confirm_code (confirm_code),
UNIQUE KEY user_login (login),
UNIQUE KEY email (email)
)
You'll need a table for storing groups (Note that I've called this table collection. The name "group" would cause problems, as GROUP is a keyword in SELECT query syntax):
CREATE TABLE collection (
collection_id INT(11) NOT NULL auto_increment,
name VARCHAR(50) NOT NULL default '',
description TEXT NOT NULL,
PRIMARY KEY (collection_id)
)
Next, there's a lookup table between users and groups:
CREATE TABLE user2collection (
user_id INT(11) NOT NULL default '0',
collection_id INT(11) NOT NULL default '0',
PRIMARY KEY (user_id, collection_id)
)
Don't forget this table for storing permissions:
CREATE TABLE permission (
permission_id INT(11) NOT NULL AUTO_INCREMENT,
name VARCHAR(50) NOT NULL DEFAULT '',
description TEXT NOT NULL,
PRIMARY KEY (permission_id)
)
And finally, you'll need this lookup table between groups and permissions:
CREATE TABLE collection2permission (
collection_id INT(11) NOT NULL DEFAULT '0',
permission_id INT(11) NOT NULL DEFAULT '0',
PRIMARY KEY (collection_id, permission_id)
)
How do I use HTTP authentication with PHP?
Hypertext Transfer Protocol (HTTP) defines its own authentication mechanisms, namely "Basic" and "Digest" authentication, which are defined in PHP Manual.
Heads Up
The first thing to understand is what actually happens when your browser sends a request to a Web server to give it a Web page. HTTP is the protocol for communication between a browser and a Web server. When your Web browser sends a request to a Web server, it uses an HTTP request to tell the server which page it wants. The server then replies with an HTTP response that describes the type and characteristics of the document being sent, then delivers the document itself.
For example, a client might send the following request to a server:
GET /subcat/98 HTTP/1.1
Host: www.sitepoint.com
Here's what it might get back from the server:
HTTP/1.1 200 OK
Date: Tue, 25 Feb 2003 15:18:24 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.1
X-Powered-By: PHP/4.3.1
Connection: close
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>SitePoint : Empowering Web Developers Since 1997</title>
…
Don't believe me? Try it for yourself:
Example 1.1. 1.php
<?php
// Connect to sitepoint.com
$fp = fsockopen('www.sitepoint.com', '80');
// Send the request
fputs($fp,
"GET /subcat/98 HTTP/1.1\r\nHost: www.sitepoint.com\r\n\r\n");
// Fetch the response
$response = '';
while (!feof($fp)) {
$response .= fgets($fp, 128);
}
fclose($fp);
// Convert HTML to entities
$response = htmlspecialchars($response);
// Display the response
echo nl2br($response);
?>
Authentication headers are additional headers used by a server to instruct the browser that it must send a valid user name and password in order to view the page.