Thread: HTTP_AUTH and SQL WHERE Clause

HTTP_AUTH and SQL WHERE Clause

From

"Seader, Cameron"

Date:

27 September 2003, 20:58:22

Hey Folks,
I am having trouble with some variables the $HTTP_AUTH_USER and $HTTP_AUTH_PW - now im useing PHP 4.3.3 and so i know
thatyou have to use $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] instead of the old way now. Well i am
havingtrouble with this script i have created to authenticate user name and password and verify against a postgresql
databasebelow.  

$auth = false; // Assume user is not authenticated

if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) {

// Connect to MySQL

pg_pconnect("host=172.18.204.64 port=5432 dbname=acquisuite_db user=pgadmin password=pgadmin") or die ( 'Unable to
connectto server.' );  

// Select database on MySQL server

// mysql_select_db( 'your_db' )
// or die ( 'Unable to select database.' );

// Formulate the query

$sql = ("SELECT * FROM tbl_authenticate WHERE username = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'");

// Execute the query and put results in $result

$result = pg_exec( $sql )
or die ( 'Unable to execute query.' );

// Get number of rows in $result.

$num = pg_num_rows( $result );

if ( $num != 0 ) {

// A matching row was found - the user is authenticated.

$auth = true;

}

}

The Problem is on the $sql line when i put in the string to do the Query with the WHERE clause having the
$HTTP_AUTH_USERand $HTTP_AUTH_PW. When i change it to '$_SERVER['HTTP_AUTH_USER']' and '$_SERVER['HTTP_AUTH_PW']' it
doesnot work and i get a parse error.  
How can i get around this?
does anyone have any ideas for me.
Thanks

Cameron Seader
CSeader@Idahopower.com



[INFO] -- Access Manager:
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under
applicablelaw.  If you are not the intended recipient, you are hereby notified that any disclosure, copying,
distribution,or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
receivedthis transmission in error, please immediately contact the sender and destroy the material in its entirety,
whetherin electronic or hard copy format.  Thank you.   A2

Re: HTTP_AUTH and SQL WHERE Clause

From

brew@theMode.com

Date:

28 September 2003, 11:27:11

Cameron......

> I am having trouble with some variables the $HTTP_AUTH_USER and
> $HTTP_AUTH_PW - now im useing PHP 4.3.3 and so i know that you have to
> use $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] instead of
> the old way now. Well i am having trouble with this script i have
> created to authenticate user name and password and verify against a
> postgresql database below.

Maybe someone else knows why, but I've had similiar problems.  What I do
now as a matter of course is to copy the php environment variables I want
to use over into regular variables in the begining of the script.

Also for debugging you could print them out early on, before using them
and see what values they hold.

later....

brew

Re: HTTP_AUTH and SQL WHERE Clause

From

"Rod K"

Date:

28 September 2003, 13:54:20


> $sql = ("SELECT * FROM tbl_authenticate WHERE username =
> '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'");
>

There's no need for the parens around the quoted value.

> The Problem is on the $sql line when i put in the string to do
> the Query with the WHERE clause having the $HTTP_AUTH_USER and
> $HTTP_AUTH_PW. When i change it to '$_SERVER['HTTP_AUTH_USER']'
> and '$_SERVER['HTTP_AUTH_PW']' it does not work and i get a parse error.

So the new assignment looks like this:

$sql= "SELECT * FROM tbl_authenticate WHERE username =
'$_SERVER['HTTP_AUTH_USER']' AND password = '$_SERVER['HTTP_AUTH_PW']'";

The problem is that PHP doesn't know what you are trying to do here.
"'$_SERVER['HTTP_AUTH_PW']'" could mean "'(the value of
$_SERVER)['HTTP_AUTH_PW']'" or what you intend.  To get around that you need
to enclose array elements (as well as other complex type structures like
$myObject->property ) with braces (or place them outside the quoted value.

The former:

 $sql= "SELECT * FROM tbl_authenticate WHERE username =
'{$_SERVER['HTTP_AUTH_USER']}' AND password = '{$_SERVER['HTTP_AUTH_PW']}'";

and the later:

 $sql= "SELECT * FROM tbl_authenticate WHERE username =
'".$_SERVER['HTTP_AUTH_USER']."' AND password =
'".$_SERVER['HTTP_AUTH_PW']."'";

I prefer the later since it's a bit easier to read IMO.

HTH
Rod

Re: HTTP_AUTH and SQL WHERE Clause

From

Rod Taylor

Date:

28 September 2003, 14:26:51

> The former:
>
>  $sql= "SELECT * FROM tbl_authenticate WHERE username =
> '{$_SERVER['HTTP_AUTH_USER']}' AND password = '{$_SERVER['HTTP_AUTH_PW']}'";
>
> and the later:
>
>  $sql= "SELECT * FROM tbl_authenticate WHERE username =
> '".$_SERVER['HTTP_AUTH_USER']."' AND password =
> '".$_SERVER['HTTP_AUTH_PW']."'";
>
> I prefer the later since it's a bit easier to read IMO.

Another alternative:

$sql = <<<END
SELECT *
  FROM tbl_authenticate
 WHERE username = '%s'
   AND password = '%s';
END

$psql = sprintf($sql, pg_escape_string($_SERVER['HTTP_AUTH_USER']),
        pg_escape_string($_SERVER['HTTP_AUTH_PW']));

Attachment

signature.asc