Home > Article > Backend Development > Example learning PHP program implements two methods for user identity authentication_PHP tutorial
用户在设计和维护站点的时候,经常需要限制对某些重要文件或信息的访问。通常,我们可以采用内置于WEB服务器的基于HTTP协议的用户身份验证机制。当访问者浏览受保护页面时,客户端浏览器会弹出对话窗口要求用户输入用户名和密码,对用户的身份进行验证,以决定用户是否有权访问页面。下面用两种方法来说明其实现原理。 一、用HTTP标头来实现 标头是服务器以HTTP协议传送HTML信息到浏览器前所送出的字串。HTTP采用一种挑战/响应模式对试图进入受密码保护区域的用户进行身份验证。具体来说,当用户首次向WEB服务器发出访问受保护区域的请求时,挑战进程被启动,服务器返回特殊的401标头,表明该用户身份未经验证。客户端浏览器在检测到上述响应之后自动弹出对话框,要求用户输入用户名和密码。用户完成输入之后点击确定,其身份识别信息就被传送到服务端进行验证。如果用户输入的用户名和密码有效,WEB服务器将允许用户进入受保护区域,并且在整个访问过程中保持其身份的有效性。相反,若用户输入的用户名称或密码无法通过验证,客户端浏览器会不断弹出输入窗口要求用户再次尝试输入正确的信息。整个过程将一直持续到用户输入正确的信息位置,也可以设定允许用户进行尝试的最大次数,超出时将自动拒绝用户的访问请求。 在PHP脚本中,使用函数header()直接给客户端的浏览器发送HTTP标头,这样在客户端将会自动弹出用户名和密码输入窗口,来实现我们的身份认证功能。在PHP中,客户端用户输入的信息传送到服务器之后自动保存在 $PHP_AUTH_USER,$PHP_AUTH_PW,以及 $PHP_AUTH_TYPE这三个全局变量中。利用这三个变量,我们可以根据保存在数据文件或者数据库中用户帐号信息来验证用户身份! 不过,需要提醒使用者注意的是:只有在以模块方式安装的PHP中才能使用$PHP_AUTH_USER,$PHP_AUTH_PW,以及 $PHP_AUTH_TYPE这三个变量。如果用户使用的是CGI模式的PHP则无法实现验证功能。在本节后附有PHP的模块方式安装方法。 下面我们用Mysql数据库来存储用户的身份。我们需要从数据库中提取每个帐号的用户名和密码以便与$PHP_AUTH_USER和$PHP_AUTH_PW变量进行比较,判断用户的真实性。 首先,在MySql中建立一个存放用户信息的数据库 数据库名为XinXiKu ,表名为user;表定义如下: create table user( 说明: 1、ID为一个序列号,不为零而且自动递增,为主键; 2、name为用户名,不能为空; 3、password为用户密码,不能为空; 以下是用户验证文件login.php //判断用户名是否设置 程序说明: 在程序中,首先检查变量$PHP_AUTH_USER是否已经设置。如果没有设置,说明需要验证,脚本发出HTTP 401错误号头标,告诉客户端的浏览器需要进行身份验证,由客户端的浏览器弹出一个身份验证窗口,提示用户输入用户名和密码,输入完成后,连接数据库,查询该用用户名及密码是否正确,如果正确,允许登录进行相关操作,如果不正确,继续要求用户输入用户名和密码。 函数说明: 1、isset():用于确定某个变量是否已被赋值。根据变量值是否存在,返回true或false 2、header():用于发送特定的HTTP标头。注意,使用header()函数时,一定要在任何产生实际输出的HTML或PHP代码前面调用该函数。 3、mysql_connect():打开 MySQL 服务器连接。 4、mysql_db_query():送查询字符串 (query) 到 MySQL 数据库。 5. mysql_fetch_row(): Returns each field of a single column. 2. Use session to implement server verification For pages that require authentication, it is best to use apache server authentication. However, the interface of apache server verification is not friendly enough. Moreover, PHP in CGI mode and PHP under IIS cannot be verified using the Apache server. In this way, we can use the session to save the user's identity between different pages to achieve identity verification. On the backend, we also use the above Mysql database to store user information. We first write a user login interface, the file name is login.php, the code is: ______________________________________________________________
ID INT(4) NOT NULL AUTO_INCREMENT,
name VARCHAR(8) NOT NULL,
password CHAR(8) NOT NULL,
PRIMARY KEY(ID)
)
if(!isset($PHP_AUTH_USER)) {
header("WWW-Authenticate:Basic realm="身份验证功能"");
header("HTTP/1.0 401 Unauthorized");
echo "身份验证失败,您无权共享网络资源!";
exit();
}
/*连接数据库*/
$db=mysql_connect("localhost","root","");
//选择数据库
mysql_select_db("XinXiKu",$db);
//查询用户是否存在
$result=mysql_query("SELECT * FROM user where name=$PHP_AUTH_USER and password=$PHP_AUTH_PW",$db);
if ($myrow = mysql_fetch_row($result)) {
//以下为身份验证成功后的相关操作
...
} else {
//身份验证不成功,提示用户重新输入
header("WWW-Authenticate:Basic realm="身份验证功能"");
header("HTTP/1.0 401 Unauthorized");
echo "身份验证失败,您无权共享网络资源!";
exit();
}
?>
Username:
Password:
______________________________________________________________
login1.php handles the submitted form, the code is as follows:
$db=mysql_connect("localhost","root","");
mysql_select_db("XinXiKu",$db);
$result=mysql_query("SELECT * FROM user where name=$ name and password=$pass",$db);
if ($myrow = mysql_fetch_row($result)) {
//Registered user
session_start();
session_register("user") ;
$user=$myrow["user"];
// Identity verification is successful, perform related operations
...
} else {
echo"Authentication failed, you have nothing to do Right to share network resources!";
}
?>
What needs to be noted here is that users can use **http://domainname/next.php?user=user in subsequent operations name to bypass authentication. Therefore, subsequent operations should first check whether the variable is registered: if it is registered, perform the corresponding operation, otherwise it will be regarded as illegal login. The relevant code is as follows:
session_start();
if (!session_is_registered("user")){
echo "Authentication failed, illegal login!";
} else {
/ /Successfully logged in to perform related operations
...
}
?>
Appendix: How to install PHP as a module
1. First download the file: mod_php4-4.0.1-pl2. [If yours is not PHP4, then upgrade as soon as possible!]
After unzipping, there are three files: mod_php4.dll, mod_php4.conf, readme.txt
2. Copy relevant files
Copy mod_php4.dll to the modules directory of the apache installation directory
Copy mod_php4.conf to the conf directory of the apache installation directory
Copy the msvcrt.dll file to the apache installation directory
3. Open the conf/srm.conf file and add a sentence
in itInclude conf/mod_php4.conf
Before doing this, please remove all setting statements about CGI mode in your httpd.conf, that is, parts similar to the ones below!
ScripAlias /php4/ "C:/php4/"
AddType application/x-httpd-php4 .php
AddType application/x-httpd-php4 .php3
AddType application/x-httpd- php4 .php4
Action application/x-httpd-php4 /php4/php.exe
If you want to make PHP support more suffixes, no problem. The given configuration file mod_php4.conf already supports three suffixes: php, php3, and php4. If you want to support more suffixes, you can change this file. It is very simple.
4. Test
Test with phpinfo(); ?>. You will see that the value of Server API is apache, not cgi, and there is also information about HTTP Headers Information.