260 likes | 267 Views
IT420: Database Management and Organization. Authentication 22 March 2006 Adina Crainiceanu www.cs.usna.edu/~adina. Goals Today. Passwords Session control. DBMS. API. HTTP. Client browser. Web server with PHP enabled. Web Database Architecture. Check the User Input.
E N D
IT420: Database Management and Organization Authentication 22 March 2006 Adina Crainiceanu www.cs.usna.edu/~adina
Goals Today • Passwords • Session control
DBMS API HTTP Client browser Web server with PHP enabled Web Database Architecture
Check the User Input • bool isset (variableName) • True if variableName is an existing variable with not null value • bool empty (variableName) • True if variableName is undefined, empty array, empty string, FALSE, or 0 • Example: • if (!isset($_POST[‘searchterm’]) || empty($_POST[‘searchterm’])) echo ‘No search keyword entered. Try again!’;
String Manipulation Functions • string strip_tags(string stringVar [,string allowableTags]) • Strips HTML and PHP tags from stringVar • Example: • $inputStr = ‘<script> alert(“hi”); </script>’; • Should not store this in the db! • echo strip_tags($inputStr); //result: alert(“hi”);
Escaping Special Characters • Special characters for db: • Single quote ‘ • Double quotes “ Example: • insert into mytable(rowID, comment) values(1,’some comment’); • Want: rowID = 1, comment = I’m here • insert into mytable(rowID, comment) values(1,’I’m here’);? • string addslashes (string someString) • Add slash before special characters • string stripslashes (string someString) • Remove slashes • Example: • echo addslashes(“Let’s see”); //result: Let\’s see
Authentication • Want: Allow access to a web page only to some users • Solution: Ask for user authentication • log in
Class Exercise • Write a PHP script: • If no login info given, ask for login information • If username = ‘user’ and password = ‘pass’, • display protected content • Else, display error message
Problems with the code • One user-name and password hard-coded • Password stored as plain text • Protection for only one page • Password transmitted as plain text
Storing Users and Passwords • In a file on the server • In a database • Users(Username, Password) • How do we test that user information matches the information in the database? • SELECT count(*) FROM Users WHERE Username = $name AND Password = $password
Encrypting Passwords • DO NOT store passwords as plain text! • Use one-way hash functions • string sha1(string str) • Example: sha1(‘pass’) == ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 ’ • Deterministic output! • Given same string, sha1 returns the same result every time
Example Using Encrypted Password • Instead of if ($name == ‘user’ && $pass == ‘password’){ //OK, passwords match } • Use if ($name == ‘user’ && sha1($pass) == ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684’ ){ //OK, passwords match }
Problems with the code • One user-name and password hard-coded • Password stored as plain text • Protection for only one page • Password transmitted as plain text
Session Control • HTTP – no built-in way to maintain state between two transactions • Want: Track a user during a single session on a website • Show content personalized to user • Solution 1: protect each single page by asking for user authentication • Problems?
Solution 2: Use PHP Session Control • Session ID – cryptographically random number • Generated for each session • Stored on client side • Cookie • URL • Session variables • Created by PHP script • Stored on the server side • If session id visible (cookie or URL), session variables can be accessed by all scripts
Implementing Sessions • Start a session • Register session variables • Use session variables • Deregister variables • Destroy session
Start a session • session_start() • Creates a session, if none exists • Call it at the start of all scripts that use sessions
Register Session Variables • $_SESSION – superglobal array to store all session variables • Example: • <?php session_start(); $_SESSION[‘valid_user’] = ‘adina’; ?> • Session variable $_SESSION[‘valid_user’] tracked until the session ends, or it is manually unset
Use Session Variables • session_start() • Creates a session, if none exists • Brings session variables into scope, otherwise • Example: • <?php session_start(); if isset($_SESSION[‘valid_user’]) echo “User $_SESSION[‘valid_user’] logged in “; ?>
Unset Session Variables • unset($_SESSION[‘valid_user’]) • “Deletes” the session variable
Destroy Session • session_destroy() • Clean up the session ID
Lab Exercise • Write PHP to implement db authentication