More about authentication: http://www.php.net/manual/en/features.http-auth.php

I have tried installing php on my PC and when I try running a simple php script from frontpage nothings happens. Here is the script I am entering.
<html>
<body>

<?php
print "Hello, world.";
?>

</body>
</html>

I installed PHP 4.2.2 for windows and have set it up to run through PWS and modified some dll's etc. Is this correct? Do I need to install Apache? Do I need to save the page as .php or can that script be entered directly into a Frontpage page as above?

yes of course!when you want to run a PHP script, you must save it as .php

well, if you are a beginner and getting confused in configuring PHP and Apache, i would suggest you to check out Easy PHP.

This is indeed really good,it has PHP, Apache and mysql.

HTH

If you're using FP, just make sure you click the HTML tag and enter the PHP code, then save the file as a .php file, otherwise, MS will default to .html

Then next time you need to open the file you'll have to do Open With --> MS FP or it'll default to open in notepad.

hmz the idea of a http-auth is okay but the .htaccess thing is really crap. Some bad configured webservers have leaks in this type of security and it will be quite easy for everyone with shell access on the server to read the .htpasswd file. Encryption is a quite easy second step then..

Why not use a combination of sessions/mysql/md5 hashes? just start a session on successfull login and store all the md5 hashes or the passwords in a mysql db. write a little script that can be included in all the "secured" scripts and it will pass the security if there is logged in and it will die if there are trouble loggin in..

mypage.php:
<?php include('security.php');
echo "blah";
?>

for the creative ppl this way will keep all the options open to use userlevels ed..

Jordy Querner

Ive got to agree with jordy on this one. Unless a customer specifically requests to use the .htaccess / .htpasswd files, I almost always let php/mysql/md5 hashes do the work for me. It's quite easy to write a script to include in your secure pages to validate the user.

Here's the way I usually do it. . . Note that there are several ways to do it, this is just mine.

<?php
  // This is the script that performs the initial authentication
  $userstats = auth($user, $password);
  // If userstats=1 then the username - password combination was found... Look up any additional credentials and create a session
  if ($userstats == 1)
  {
    $query = "SELECT UserFirst,UserLast,UserAccessBits from users WHERE UserHandle='$user'";
    $result = mysql_query($query) or die("Fatal Error: mySQL Query ($query) Failed");
    $data = mysql_fetch_array($result);
    $firstname = $data['UserFirst'];
    $lastname = $data['UserLast'];
    $accesslevel = $data['UserAccessBits'];
    // Make sure this is not a banned user
    if ($accesslevel != -1)
    {
      session_start();
      session_register("SESSION");
      session_register("SESSION_UNAME");
      session_register("SESSION_FULLNAME");
      session_register("SESSION_USERACCESS");
      $SESSION_UNAME = $user;
      $SESSION_FULLNAME = "$firstname $lastname";
      $SESSION_USERACCESS = "$accesslevel";
    }
    header("Location: http://www.*******.com");
    exit;
  }
  else
  {
    // If code gets here, username/password combo not found in db
    header("Location: http://www.*******.com");
    exit;
  }
  // Authentication Function
  function auth($auser, $apass)
  {
    $result = -1;
    include ("global.php");
    $link = mysql_connect("localhost","dbusername","secret") or die("Fatal Error: Unable to connect to mySQL!");
    mysql_select_db("eba") or die("Fatal Error: Unable to open eba database!");
    $query = "SELECT UserHandle,UserPassword from users WHERE UserHandle='$auser' AND UserPassword='$apass'";
    $result = mysql_query($query) or die("Fatal Error: mySQL Query ($query) Failed");
    if (mysql_num_rows($result) == 1)
    {
      // found user/pass
      return 1;
    }
    else
    {
      // dod not find user/pass
      return 0;
    }
  }

The above code is called via the following. . . And yes, it's straight HTML...

<HTML>
<HEAD>
<TITLE>Please Login</TITLE>
</HEAD>
<BODY>
<CENTER>
<TABLE BORDER="0" CELLSPACING="5" CELLPADDING="5">
<FORM ACTION="login.php" METHOD="POST">
<TR>
<TD>Username</TD>
<TD><INPUT TYPE="TEXT" SIZE="16" NAME="user"></TD>
</TR>
<TR>
<TD>Password</TD>
<TD><INPUT TYPE="PASSWORD" SIZE="16" NAME="pass"></TD>
</TR>
<TR>
<TD COLSPAN="2" ALIGN="CENTER"><INPUT TYPE="SUBMIT" NAME="SUBMIT" VALUE="Log In"></TD>
</TR>
</FORM>
</TABLE>
</CENTER>
</BODY>
</HTML>

As you can see, very basic This particular one doesn't even user md5 (hrmm... I guess I better update it... lol)

At any rate, something similar to this would probably do what you want with minimal changes. Once the user logs in, you just include a script in any "secured page" that checks the session to see if a valid user is present.

Hope this helps some..

for the complete code i use just mail me.. its quite to long to post in this forum.. but btw.. i c ppl talking about FP here.. hmz one last advice...... DONT USE IT! there are far better website GUIs on the market!

Originally posted by jordy
for the complete code i use just mail me.. its quite to long to post in this forum.. but btw.. i c ppl talking about FP here.. hmz one last advice...... DONT USE IT! there are far better website GUIs on the market!

Jordy, perhaps in your opinion there are better WYSIWYG editors out there, but to make the blanket statement you did without any form of corroborative evidence doesn't wash with me.

I have the choice of using Frontpage OR Dreamweaver for WYSIWYG work and yet I choose FP over DW any day. Once you get over the anti M$ issues and the snobbery that exists within web design against FP you will find that there isn't much that FP can't do that others can. Certainly there is a small issue with PHP in that you should not try to edit PHP within the FP editor (unless you have ASP Style tags) but then again why would you want to create php in a wysiwyg editor anyway. I use HomeSite for that.

To be honest I hear so much bull spouted about what FP does to peoples code that I begin to wonder if you lot are just playing a game of chinese whispers. I hear comments about FP creating bloated code. Simply not true. I hear comments of FP changing peoples html. Well its never done it to me. I hear comments of FP writing incompatible code. Again, it's the choices the operator makes that determine what FP will write.

So orebic, use whichever editor you feel most comfortable with. Don't try to use FP to edit any PHP (set up natepad as the default, or use a different text editor, OR change to ASP style tags <% %> altho this could limit you in server deployment.

Hey...I just have to ask why did you choose Orebic as your handle here? Did you have in mind Orebic, Croatia or something else?

Thanks for your reply everyone. Security not a major concern. Phantazm if I use the code above then all I need to do is setup a mySQL database with my membership no's and there is no need for md5. Can I remove any association with username in your code if I am only using a membership no to authenticate (no username)? Can mySQL be created from an access database.

Jordy I will e-mail you shortly.

Yes ahajdar you are correct in your assumption about Orebic. Absolutely beautiful. How is it you know??