Thread: HTTP_AUTH and SQL WHERE Clause
Hey Folks, I am having trouble with some variables the $HTTP_AUTH_USER and $HTTP_AUTH_PW - now im useing PHP 4.3.3 and so i know thatyou have to use $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] instead of the old way now. Well i am havingtrouble with this script i have created to authenticate user name and password and verify against a postgresql databasebelow. $auth = false; // Assume user is not authenticated if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) { // Connect to MySQL pg_pconnect("host=172.18.204.64 port=5432 dbname=acquisuite_db user=pgadmin password=pgadmin") or die ( 'Unable to connectto server.' ); // Select database on MySQL server // mysql_select_db( 'your_db' ) // or die ( 'Unable to select database.' ); // Formulate the query $sql = ("SELECT * FROM tbl_authenticate WHERE username = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'"); // Execute the query and put results in $result $result = pg_exec( $sql ) or die ( 'Unable to execute query.' ); // Get number of rows in $result. $num = pg_num_rows( $result ); if ( $num != 0 ) { // A matching row was found - the user is authenticated. $auth = true; } } The Problem is on the $sql line when i put in the string to do the Query with the WHERE clause having the $HTTP_AUTH_USERand $HTTP_AUTH_PW. When i change it to '$_SERVER['HTTP_AUTH_USER']' and '$_SERVER['HTTP_AUTH_PW']' it doesnot work and i get a parse error. How can i get around this? does anyone have any ideas for me. Thanks Cameron Seader CSeader@Idahopower.com [INFO] -- Access Manager: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicablelaw. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution,or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you receivedthis transmission in error, please immediately contact the sender and destroy the material in its entirety, whetherin electronic or hard copy format. Thank you. A2
Cameron...... > I am having trouble with some variables the $HTTP_AUTH_USER and > $HTTP_AUTH_PW - now im useing PHP 4.3.3 and so i know that you have to > use $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] instead of > the old way now. Well i am having trouble with this script i have > created to authenticate user name and password and verify against a > postgresql database below. Maybe someone else knows why, but I've had similiar problems. What I do now as a matter of course is to copy the php environment variables I want to use over into regular variables in the begining of the script. Also for debugging you could print them out early on, before using them and see what values they hold. later.... brew
> $sql = ("SELECT * FROM tbl_authenticate WHERE username = > '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'"); > There's no need for the parens around the quoted value. > The Problem is on the $sql line when i put in the string to do > the Query with the WHERE clause having the $HTTP_AUTH_USER and > $HTTP_AUTH_PW. When i change it to '$_SERVER['HTTP_AUTH_USER']' > and '$_SERVER['HTTP_AUTH_PW']' it does not work and i get a parse error. So the new assignment looks like this: $sql= "SELECT * FROM tbl_authenticate WHERE username = '$_SERVER['HTTP_AUTH_USER']' AND password = '$_SERVER['HTTP_AUTH_PW']'"; The problem is that PHP doesn't know what you are trying to do here. "'$_SERVER['HTTP_AUTH_PW']'" could mean "'(the value of $_SERVER)['HTTP_AUTH_PW']'" or what you intend. To get around that you need to enclose array elements (as well as other complex type structures like $myObject->property ) with braces (or place them outside the quoted value. The former: $sql= "SELECT * FROM tbl_authenticate WHERE username = '{$_SERVER['HTTP_AUTH_USER']}' AND password = '{$_SERVER['HTTP_AUTH_PW']}'"; and the later: $sql= "SELECT * FROM tbl_authenticate WHERE username = '".$_SERVER['HTTP_AUTH_USER']."' AND password = '".$_SERVER['HTTP_AUTH_PW']."'"; I prefer the later since it's a bit easier to read IMO. HTH Rod
> The former: > > $sql= "SELECT * FROM tbl_authenticate WHERE username = > '{$_SERVER['HTTP_AUTH_USER']}' AND password = '{$_SERVER['HTTP_AUTH_PW']}'"; > > and the later: > > $sql= "SELECT * FROM tbl_authenticate WHERE username = > '".$_SERVER['HTTP_AUTH_USER']."' AND password = > '".$_SERVER['HTTP_AUTH_PW']."'"; > > I prefer the later since it's a bit easier to read IMO. Another alternative: $sql = <<<END SELECT * FROM tbl_authenticate WHERE username = '%s' AND password = '%s'; END $psql = sprintf($sql, pg_escape_string($_SERVER['HTTP_AUTH_USER']), pg_escape_string($_SERVER['HTTP_AUTH_PW']));