Login, pass username+password direct to database

seweso

I pass the username and password required with default-authentication directly to de database login-system.

Is this safe/smart?

function database_connect($database = "")
{
  session_start();

  $username 	= $_SERVER['PHP_AUTH_USER'];

  $request = explode("/", $_SERVER['REQUEST_URI']);
  if ($request[1] == "klanten") {
  	$database = $request[2];
	$_SESSION['database'] = $database;
  }

  if (!empty($database)) {
  	$username = $database."_".$username;
  } else {
    if (!empty($_SESSION['database'])) {
	  $username = $_SESSION['database']."_".$username;
	}
  }

  $db_user 		= explode("_", $username);
  $database 	= $db_user[0];
  $code		 	= $db_user[1];
  $password 	= $_SERVER['PHP_AUTH_PW'];

  if ($code == "root") {
  	$username = $code;
  } else {
	$password	= "H57A24I5N_$password";
  }

  if (!@mysql_connect("localhost", $username, $password) or !@mysql_select_db("crm_$database")) {
      if (substr(mysql_error(),0,22) == "Access denied for user") {									  

	    header("WWW-Authenticate: Basic realm=\"Online-crm en bouwberichten\"");
	    header("HTTP/1.0 401 Unauthorized");	
	    crm_die(8, "Verkeerde gebruikersnaam -wachtwoord combinatie.", mysql_error());
      } else {
	  	crm_die(9, "Kan geen connectie maken met de database: ".mysql_error());
	  }
  }

  return $code;
}

drag0n

Well, in my opinion, thats how I would have done it. By the way, do you know if it is possible in php to HTTP_AUTH protect a whole directory, since I am using IIS, the only ways to prtect a whole directory is by using Windows Auth which I have to make a new user for every user I want to add, I need a simpler way.

drawmack

to do that in php you would just include a file that did the auth for you, although under IIS the user is the way to go.

drag0n

user meaning Windows Authenication?

seweso

So the code is secure?

Is adding a prefix to the password enough protection to keep people accessing mysql directly?