260 likes | 273 Views
Learn about database management, user authentication, and secure coding practices in PHP. Explore session control techniques, string manipulation functions, and database architecture. Understand how to securely store user information and implement session handling.
E N D
IT420: Database Management and Organization Authentication 22 March 2006 Adina Crainiceanu www.cs.usna.edu/~adina
Goals Today • Passwords • Session control
DBMS API HTTP Client browser Web server with PHP enabled Web Database Architecture
Check the User Input • bool isset (variableName) • True if variableName is an existing variable with not null value • bool empty (variableName) • True if variableName is undefined, empty array, empty string, FALSE, or 0 • Example: • if (!isset($_POST[‘searchterm’]) || empty($_POST[‘searchterm’])) echo ‘No search keyword entered. Try again!’;
String Manipulation Functions • string strip_tags(string stringVar [,string allowableTags]) • Strips HTML and PHP tags from stringVar • Example: • $inputStr = ‘<script> alert(“hi”); </script>’; • Should not store this in the db! • echo strip_tags($inputStr); //result: alert(“hi”);
Escaping Special Characters • Special characters for db: • Single quote ‘ • Double quotes “ Example: • insert into mytable(rowID, comment) values(1,’some comment’); • Want: rowID = 1, comment = I’m here • insert into mytable(rowID, comment) values(1,’I’m here’);? • string addslashes (string someString) • Add slash before special characters • string stripslashes (string someString) • Remove slashes • Example: • echo addslashes(“Let’s see”); //result: Let\’s see
Authentication • Want: Allow access to a web page only to some users • Solution: Ask for user authentication • log in
Class Exercise • Write a PHP script: • If no login info given, ask for login information • If username = ‘user’ and password = ‘pass’, • display protected content • Else, display error message
Problems with the code • One user-name and password hard-coded • Password stored as plain text • Protection for only one page • Password transmitted as plain text
Storing Users and Passwords • In a file on the server • In a database • Users(Username, Password) • How do we test that user information matches the information in the database? • SELECT count(*) FROM Users WHERE Username = $name AND Password = $password
Encrypting Passwords • DO NOT store passwords as plain text! • Use one-way hash functions • string sha1(string str) • Example: sha1(‘pass’) == ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 ’ • Deterministic output! • Given same string, sha1 returns the same result every time
Example Using Encrypted Password • Instead of if ($name == ‘user’ && $pass == ‘password’){ //OK, passwords match } • Use if ($name == ‘user’ && sha1($pass) == ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684’ ){ //OK, passwords match }
Problems with the code • One user-name and password hard-coded • Password stored as plain text • Protection for only one page • Password transmitted as plain text
Session Control • HTTP – no built-in way to maintain state between two transactions • Want: Track a user during a single session on a website • Show content personalized to user • Solution 1: protect each single page by asking for user authentication • Problems?
Solution 2: Use PHP Session Control • Session ID – cryptographically random number • Generated for each session • Stored on client side • Cookie • URL • Session variables • Created by PHP script • Stored on the server side • If session id visible (cookie or URL), session variables can be accessed by all scripts
Implementing Sessions • Start a session • Register session variables • Use session variables • Deregister variables • Destroy session
Start a session • session_start() • Creates a session, if none exists • Call it at the start of all scripts that use sessions
Register Session Variables • $_SESSION – superglobal array to store all session variables • Example: • <?php session_start(); $_SESSION[‘valid_user’] = ‘adina’; ?> • Session variable $_SESSION[‘valid_user’] tracked until the session ends, or it is manually unset
Use Session Variables • session_start() • Creates a session, if none exists • Brings session variables into scope, otherwise • Example: • <?php session_start(); if isset($_SESSION[‘valid_user’]) echo “User $_SESSION[‘valid_user’] logged in “; ?>
Unset Session Variables • unset($_SESSION[‘valid_user’]) • “Deletes” the session variable
Destroy Session • session_destroy() • Clean up the session ID
Lab Exercise • Write PHP to implement db authentication