1 / 26

IT420: Database Management and Organization

IT420: Database Management and Organization. Authentication 22 March 2006 Adina Crainiceanu www.cs.usna.edu/~adina. Goals Today. Passwords Session control. DBMS. API. HTTP. Client browser. Web server with PHP enabled. Web Database Architecture. Check the User Input.

ghyde
Download Presentation

IT420: Database Management and Organization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT420: Database Management and Organization Authentication 22 March 2006 Adina Crainiceanu www.cs.usna.edu/~adina

  2. Goals Today • Passwords • Session control

  3. DBMS API HTTP Client browser Web server with PHP enabled Web Database Architecture

  4. Check the User Input • bool isset (variableName) • True if variableName is an existing variable with not null value • bool empty (variableName) • True if variableName is undefined, empty array, empty string, FALSE, or 0 • Example: • if (!isset($_POST[‘searchterm’]) || empty($_POST[‘searchterm’])) echo ‘No search keyword entered. Try again!’;

  5. String Manipulation Functions • string strip_tags(string stringVar [,string allowableTags]) • Strips HTML and PHP tags from stringVar • Example: • $inputStr = ‘<script> alert(“hi”); </script>’; • Should not store this in the db! • echo strip_tags($inputStr); //result: alert(“hi”);

  6. Escaping Special Characters • Special characters for db: • Single quote ‘ • Double quotes “ Example: • insert into mytable(rowID, comment) values(1,’some comment’); • Want: rowID = 1, comment = I’m here • insert into mytable(rowID, comment) values(1,’I’m here’);? • string addslashes (string someString) • Add slash before special characters • string stripslashes (string someString) • Remove slashes • Example: • echo addslashes(“Let’s see”); //result: Let\’s see

  7. Authentication • Want: Allow access to a web page only to some users • Solution: Ask for user authentication • log in

  8. Step 1: Ask Login Information

  9. Step 2-a: If Incorrect Information, Display Error Message

  10. Step 2-b If Correct Information, Display Secret Page

  11. Class Exercise • Write a PHP script: • If no login info given, ask for login information • If username = ‘user’ and password = ‘pass’, • display protected content • Else, display error message

  12. pass_protect.php

  13. Problems with the code • One user-name and password hard-coded • Password stored as plain text • Protection for only one page • Password transmitted as plain text

  14. Storing Users and Passwords • In a file on the server • In a database • Users(Username, Password) • How do we test that user information matches the information in the database? • SELECT count(*) FROM Users WHERE Username = $name AND Password = $password

  15. Encrypting Passwords • DO NOT store passwords as plain text! • Use one-way hash functions • string sha1(string str) • Example: sha1(‘pass’) == ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 ’ • Deterministic output! • Given same string, sha1 returns the same result every time

  16. Example Using Encrypted Password • Instead of if ($name == ‘user’ && $pass == ‘password’){ //OK, passwords match } • Use if ($name == ‘user’ && sha1($pass) == ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684’ ){ //OK, passwords match }

  17. Problems with the code • One user-name and password hard-coded • Password stored as plain text • Protection for only one page • Password transmitted as plain text

  18. Session Control • HTTP – no built-in way to maintain state between two transactions • Want: Track a user during a single session on a website • Show content personalized to user • Solution 1: protect each single page by asking for user authentication • Problems?

  19. Solution 2: Use PHP Session Control • Session ID – cryptographically random number • Generated for each session • Stored on client side • Cookie • URL • Session variables • Created by PHP script • Stored on the server side • If session id visible (cookie or URL), session variables can be accessed by all scripts

  20. Implementing Sessions • Start a session • Register session variables • Use session variables • Deregister variables • Destroy session

  21. Start a session • session_start() • Creates a session, if none exists • Call it at the start of all scripts that use sessions

  22. Register Session Variables • $_SESSION – superglobal array to store all session variables • Example: • <?php session_start(); $_SESSION[‘valid_user’] = ‘adina’; ?> • Session variable $_SESSION[‘valid_user’] tracked until the session ends, or it is manually unset

  23. Use Session Variables • session_start() • Creates a session, if none exists • Brings session variables into scope, otherwise • Example: • <?php session_start(); if isset($_SESSION[‘valid_user’]) echo “User $_SESSION[‘valid_user’] logged in “; ?>

  24. Unset Session Variables • unset($_SESSION[‘valid_user’]) • “Deletes” the session variable

  25. Destroy Session • session_destroy() • Clean up the session ID

  26. Lab Exercise • Write PHP to implement db authentication

More Related