hello all,
I have another questions .. I really could use some feedback on this script,
I want to make sure it's secure enough. can anyone see any risks? Basically
what the script does it get username/password and user access level
(passwords are encrypt md5 hash, from the database. I then include() this
code into a page that i want to secure.
Thanks for any suggestions.
<?php
$checkservername = "";
$dbcheckusername = "";
$dbcheckpassword = "";
$dbcheckbase = "";
$encryptedpw = true;
$realm = "Restricted Area!";
$auth = false; // assume user is not auth
if ( isset( $PHP_AUTH_USER ) && isset ( $PHP_AUTH_PW )) {
mysql_connect( $checkservername, $dbcheckusername, $dbcheckpassword )
or die ( 'Unable to connect to server.' );
mysql_select_db( $dbcheckbase )
or die ( 'Unable to select database.' );
if ( $encryptedpw )
$chkpw = md5 ( $PHP_AUTH_PW );
else
$chkpw = $PHP_AUTH_PW;
$sql = "SELECT * FROM user WHERE username = '$PHP_AUTH_USER' AND
password = '$chkpw' AND (usergroupid = '6')";
$result = mysql_query( $sql )
or die ( 'Unable to execute query.' );
$num = mysql_numrows( $result );
if ( $num != 0 )
{
$auth = true; // access granted
}
}
// access not granted
if ( !$auth ) {
header( "WWW-Authenticate: Basic realm=\"$realm\"" );
header( "HTTP/1.0 401 Unauthorized" );
echo '<b>Authorization Required - Access Denied!</b>';
exit;
}
?>
cheers,
- Sebastian
