Re: [PHP] Trouble with PHP server script

2008-02-14 Thread Richard Lynch 


On Sun, February 10, 2008 9:09 pm, Robert Cox wrote:
 Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a
 URL
 forwarded site?  I am trying to find the authorised user id so that I
 can
 access an SQL database with it.  Anyone got some ideas?

If you do a Location: with a FULL URL then the browser will forward
POST and I think AUTH data.

If you use a partial URL, it seems to work, but IE will decide not to
forward that data.

It is in the spec that you need the full URL, starting with http://
for a Location header.

This may (or may not) be what is messing you up.

-- 
Some people have a gift link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Trouble with PHP server script

2008-02-14 Thread Stut 

Richard Lynch wrote:


On Sun, February 10, 2008 9:09 pm, Robert Cox wrote:

Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a
URL
forwarded site?  I am trying to find the authorised user id so that I
can
access an SQL database with it.  Anyone got some ideas?


If you do a Location: with a FULL URL then the browser will forward
POST and I think AUTH data.


Auth info is not passed on as such. HTTP authentication details are 
applied to all URLs where the browser already knows them (i.e. on the 
same domain where they have already authenticated). The redirect does 
not have anything to do with this.


And I don't know where you're getting the idea that POST data is 
persisted when redirecting with the location header. This is certainly 
not the case in all browsers I've ever worked with. If it was then a 
fair number of scripts I've written over the years would not work correctly.


One security note for the OP: it's generally a bad idea for the user 
credentials for your website to be the same as those used to access the 
database. I can think of few ideas where it would make the slightest bit 
of logical sense and most of those involve web-based DB admin such as 
phpMyAdmin. You might want to rethink your design from a security point 
of view.


-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Trouble with PHP server script

2008-02-11 Thread Daniel Brown 
On Feb 10, 2008 10:09 PM, Robert Cox [EMAIL PROTECTED] wrote:
 Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL
 forwarded site?  I am trying to find the authorised user id so that I can
 access an SQL database with it.  Anyone got some ideas?

Once again I'll defer to Dan Shirah, who was working with PHP and
the AUTH_USER stuff.  He may be able to help you out through his
experience with it.

-- 
/Dan

Daniel P. Brown
Senior Unix Geek
? while(1) { $me = $mind--; sleep(86400); } ?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Trouble with PHP server script

2008-02-10 Thread Robert Cox 
Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL
forwarded site?  I am trying to find the authorised user id so that I can
access an SQL database with it.  Anyone got some ideas?
 
PHP looks like this
 
 ?php
 //Get User
  $user = $_SERVER['PHP_AUTH_USER'];
  
 // Get User type
  $db = mysql_connect(localhost, ., .) or die(Can't connect to
database: .mysql_error());
mysql_select_db() or die(Can't select database:
.mysql_error());
  
  $query = SELECT * FROM user WHERE staffid LIKE $user;
  $result = mysql_query($query) or die ('Not a valid User: ' .
mysql_error());

?

Re: [PHP] Trouble with PHP server script

2008-02-10 Thread Nirmalya Lahiri 
--- Robert Cox [EMAIL PROTECTED] wrote:

 Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in
 a URL
 forwarded site?  I am trying to find the authorised user id so that
 I can
 access an SQL database with it.  Anyone got some ideas?
  
 PHP looks like this
  
  ?php
  //Get User
   $user = $_SERVER['PHP_AUTH_USER'];
   
  // Get User type
   $db = mysql_connect(localhost, ., .) or die(Can't
 connect to
 database: .mysql_error());
 mysql_select_db() or die(Can't select
 database:
 .mysql_error());
   
   $query = SELECT * FROM user WHERE staffid LIKE $user;
   $result = mysql_query($query) or die ('Not a valid User: ' .
 mysql_error());
 
 ?
  

Robert,
 I think this link will help you to solve the problem.
http://bugs.php.net/bug.php?id=29132

---
Nirmalya Lahiri
[+91-9433113536]


  

Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Trouble with PHP server script

2008-02-10 Thread Jim Lucas 

Robert Cox wrote:

Is it possible to use the $_SERVER['PHP_AUTH_USER']; construct in a URL
forwarded site?  I am trying to find the authorised user id so that I can
access an SQL database with it.  Anyone got some ideas?
 
PHP looks like this
 
 ?php

 //Get User
  $user = $_SERVER['PHP_AUTH_USER'];
  
 // Get User type

  $db = mysql_connect(localhost, ., .) or die(Can't connect to
database: .mysql_error());
mysql_select_db() or die(Can't select database:
.mysql_error());
  


You should always run mysql_real_escape_string() on any variables that 
you use in an SQL statement.



  $query = SELECT * FROM user WHERE staffid LIKE $user;


You need to make sure that you surround your string with quotes.  This 
is only if the $user is a string, if it is an int/number, the forget the 
 quotes.


$query = SELECT * FROM user WHERE staffid LIKE '$user';

The following should always reference your above DB resource $db

Plus, this isn't how you should be checking for a valid user.
The following would only hit the die() statement if there was an error 
with the SQL statement.  Not if it didn't return any results.


mysql_query($query, $db) or die('Not a valid user: '.mysql


  $result = mysql_query($query) or die ('Not a valid User: ' .
mysql_error());

?
 
 



Note: You need to make sure that magic_quotes_gpc is not enabled.  That 
will mess with doing things this way.


Note: I am assuming that you will only match one and only one.  If that 
is the case you need to switch the like to an = instead.


staffid = '{$user}'

don't worry about the curly braces, they are for PHP to identify the 
variable.  They wont show up in your actual SQL statement.



All that being said, try this instead.

?php

// Get User type
$db = mysql_connect(localhost, ., .) or
die(Can't connect to database: .mysql_error());
mysql_select_db() or
die(Can't select database: .mysql_error());

//Get User
$user = mysql_real_escape_string(@$_SERVER['PHP_AUTH_USER'], $db);

$query = SELECT * FROM user WHERE staffid = '{$user}';

$result = mysql_query($query, $db) or
die('Error with query: '.mysql_error());

if ( mysql_num_rows($result) == 0 ) {
// No results found, assume user does not exist
} else {
// User exists, do something about it.
}



?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php