Re: [PHP] Trouble with PHP server script
On Sun, February 10, 2008 9:09 pm, Robert Cox wrote: Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL forwarded site? I am trying to find the authorised user id so that I can access an SQL database with it. Anyone got some ideas? If you do a Location: with a FULL URL then the browser will forward POST and I think AUTH data. If you use a partial URL, it seems to work, but IE will decide not to forward that data. It is in the spec that you need the full URL, starting with http:// for a Location header. This may (or may not) be what is messing you up. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Trouble with PHP server script
Richard Lynch wrote: On Sun, February 10, 2008 9:09 pm, Robert Cox wrote: Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL forwarded site? I am trying to find the authorised user id so that I can access an SQL database with it. Anyone got some ideas? If you do a Location: with a FULL URL then the browser will forward POST and I think AUTH data. Auth info is not passed on as such. HTTP authentication details are applied to all URLs where the browser already knows them (i.e. on the same domain where they have already authenticated). The redirect does not have anything to do with this. And I don't know where you're getting the idea that POST data is persisted when redirecting with the location header. This is certainly not the case in all browsers I've ever worked with. If it was then a fair number of scripts I've written over the years would not work correctly. One security note for the OP: it's generally a bad idea for the user credentials for your website to be the same as those used to access the database. I can think of few ideas where it would make the slightest bit of logical sense and most of those involve web-based DB admin such as phpMyAdmin. You might want to rethink your design from a security point of view. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Trouble with PHP server script
On Feb 10, 2008 10:09 PM, Robert Cox [EMAIL PROTECTED] wrote: Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL forwarded site? I am trying to find the authorised user id so that I can access an SQL database with it. Anyone got some ideas? Once again I'll defer to Dan Shirah, who was working with PHP and the AUTH_USER stuff. He may be able to help you out through his experience with it. -- /Dan Daniel P. Brown Senior Unix Geek ? while(1) { $me = $mind--; sleep(86400); } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Trouble with PHP server script
Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL forwarded site? I am trying to find the authorised user id so that I can access an SQL database with it. Anyone got some ideas? PHP looks like this ?php //Get User $user = $_SERVER['PHP_AUTH_USER']; // Get User type $db = mysql_connect(localhost, ., .) or die(Can't connect to database: .mysql_error()); mysql_select_db() or die(Can't select database: .mysql_error()); $query = SELECT * FROM user WHERE staffid LIKE $user; $result = mysql_query($query) or die ('Not a valid User: ' . mysql_error()); ?
Re: [PHP] Trouble with PHP server script
--- Robert Cox [EMAIL PROTECTED] wrote: Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL forwarded site? I am trying to find the authorised user id so that I can access an SQL database with it. Anyone got some ideas? PHP looks like this ?php //Get User $user = $_SERVER['PHP_AUTH_USER']; // Get User type $db = mysql_connect(localhost, ., .) or die(Can't connect to database: .mysql_error()); mysql_select_db() or die(Can't select database: .mysql_error()); $query = SELECT * FROM user WHERE staffid LIKE $user; $result = mysql_query($query) or die ('Not a valid User: ' . mysql_error()); ? Robert, I think this link will help you to solve the problem. http://bugs.php.net/bug.php?id=29132 --- Nirmalya Lahiri [+91-9433113536] Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Trouble with PHP server script
Robert Cox wrote: Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL forwarded site? I am trying to find the authorised user id so that I can access an SQL database with it. Anyone got some ideas? PHP looks like this ?php //Get User $user = $_SERVER['PHP_AUTH_USER']; // Get User type $db = mysql_connect(localhost, ., .) or die(Can't connect to database: .mysql_error()); mysql_select_db() or die(Can't select database: .mysql_error()); You should always run mysql_real_escape_string() on any variables that you use in an SQL statement. $query = SELECT * FROM user WHERE staffid LIKE $user; You need to make sure that you surround your string with quotes. This is only if the $user is a string, if it is an int/number, the forget the quotes. $query = SELECT * FROM user WHERE staffid LIKE '$user'; The following should always reference your above DB resource $db Plus, this isn't how you should be checking for a valid user. The following would only hit the die() statement if there was an error with the SQL statement. Not if it didn't return any results. mysql_query($query, $db) or die('Not a valid user: '.mysql $result = mysql_query($query) or die ('Not a valid User: ' . mysql_error()); ? Note: You need to make sure that magic_quotes_gpc is not enabled. That will mess with doing things this way. Note: I am assuming that you will only match one and only one. If that is the case you need to switch the like to an = instead. staffid = '{$user}' don't worry about the curly braces, they are for PHP to identify the variable. They wont show up in your actual SQL statement. All that being said, try this instead. ?php // Get User type $db = mysql_connect(localhost, ., .) or die(Can't connect to database: .mysql_error()); mysql_select_db() or die(Can't select database: .mysql_error()); //Get User $user = mysql_real_escape_string(@$_SERVER['PHP_AUTH_USER'], $db); $query = SELECT * FROM user WHERE staffid = '{$user}'; $result = mysql_query($query, $db) or die('Error with query: '.mysql_error()); if ( mysql_num_rows($result) == 0 ) { // No results found, assume user does not exist } else { // User exists, do something about it. } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php