IT 420 Database Management and Organization Authentication 22
IT 420: Database Management and Organization Authentication 22 March 2006 Adina Crainiceanu www. cs. usna. edu/~adina
Goals Today § Passwords § Session control
Web Database Architecture DBMS Client browser HTTP Web server with PHP enabled API
Check the User Input § bool isset (variable. Name) § True if variable. Name is an existing variable with not null value § bool empty (variable. Name) § True if variable. Name is undefined, empty array, empty string, FALSE, or 0 § Example: § if (!isset($_POST[‘searchterm’]) || empty($_POST[‘searchterm’])) echo ‘No search keyword entered. Try again!’;
String Manipulation Functions § string strip_tags(string. Var [, string allowable. Tags]) § Strips HTML and PHP tags from string. Var § Example: § $input. Str = ‘<script> alert(“hi”); </script>’; § Should not store this in the db! § echo strip_tags($input. Str); //result: alert(“hi”);
Escaping Special Characters § Special characters for db: § Single quote ‘ § Double quotes “ Example: § insert into mytable(row. ID, comment) values(1, ’some comment’); § Want: row. ID = 1, comment = I’m here § insert into mytable(row. ID, comment) values(1, ’I’m here’); ? § string addslashes (string some. String) § Add slash before special characters § string stripslashes (string some. String) § Remove slashes § Example: § echo addslashes(“Let’s see”); //result: Let’s see
Authentication § Want: Allow access to a web page only to some users § Solution: Ask for user authentication § log in
Step 1: Ask Login Information
Step 2 -a: If Incorrect Information, Display Error Message
Step 2 -b If Correct Information, Display Secret Page
Class Exercise § Write a PHP script: § If no login info given, ask for login information § If username = ‘user’ and password = ‘pass’, § display protected content § Else, display error message
pass_protect. php
Problems with the code § § One user-name and password hard-coded Password stored as plain text Protection for only one page Password transmitted as plain text
Storing Users and Passwords § In a file on the server § In a database § Users(Username, Password) § How do we test that user information matches the information in the database? § SELECT count(*) FROM Users WHERE Username = $name AND Password = $password
Encrypting Passwords § DO NOT store passwords as plain text! § Use one-way hash functions § string sha 1(string str) § Example: sha 1(‘pass’) == ‘ 9 d 4 e 1 e 23 bd 5 b 727046 a 9 e 3 b 4 b 7 db 57 bd 8 d 6 ee 684 ’ § Deterministic output! § Given same string, sha 1 returns the same result every time
Example Using Encrypted Password § Instead of if ($name == ‘user’ && $pass == ‘password’){ //OK, passwords match } § Use if ($name == ‘user’ && sha 1($pass) == ‘ 9 d 4 e 1 e 23 bd 5 b 727046 a 9 e 3 b 4 b 7 db 57 bd 8 d 6 ee 684’ ){ //OK, passwords match }
Problems with the code § § One user-name and password hard-coded Password stored as plain text Protection for only one page Password transmitted as plain text
Session Control § HTTP – no built-in way to maintain state between two transactions § Want: Track a user during a single session on a website § Show content personalized to user § Solution 1: protect each single page by asking for user authentication § Problems?
Solution 2: Use PHP Session Control § Session ID – cryptographically random number § Generated for each session § Stored on client side § Cookie § URL § Session variables § Created by PHP script § Stored on the server side § If session id visible (cookie or URL), session variables can be accessed by all scripts
Implementing Sessions § § § Start a session Register session variables Use session variables Deregister variables Destroy session
Start a session § session_start() § Creates a session, if none exists § Call it at the start of all scripts that use sessions
Register Session Variables § $_SESSION – superglobal array to store all session variables § Example: § <? php session_start(); $_SESSION[‘valid_user’] = ‘adina’; ? > § Session variable $_SESSION[‘valid_user’] tracked until the session ends, or it is manually unset
Use Session Variables § session_start() § Creates a session, if none exists § Brings session variables into scope, otherwise § Example: § <? php session_start(); if isset($_SESSION[‘valid_user’]) echo “User $_SESSION[‘valid_user’] logged in “; ? >
Unset Session Variables § unset($_SESSION[‘valid_user’]) § “Deletes” the session variable
Destroy Session § session_destroy() § Clean up the session ID
Lab Exercise § Write PHP to implement db authentication
- Slides: 26