Hello all. A quick search of these boards shows that this topic has been covered exhaustively - and yet I just can't get my head around it. Let me explain what exactly I'm trying to do, and hopefully someone here can kick me in the head so as to rattle my brain to understanding.
I've got a site that includes protected content - in this case, subscription based Flash movies and .pdfs. I want to be able to use Apache's .htaccess file to protect the entire directory so that a malicious user can't simply bypass the login screen and go directly to the file. The names and passwords are kept in a MySQL database.
I have (outside the protected directory) an html log in for that asks for username and password. I have the action of the form set to passThru.php, which includes the following code:
<?php
include_once("path/to/conn.php");
mysql_select_db($database_connection);
$auth=false;
$qry="SELECT clientID FROM tblclients WHERE name='".$_REQUEST['user']."' AND pass='".md5($_REQUEST['pass'])."';";
$rs=mysql_query($qry, $connLogin) or die(mysql_error());
$num=mysql_num_rows($rs);
if($num == 1){
$auth = true;
$_SERVER['PHP_AUTH_USER']='user';
$_SERVER['PHP_AUTH_PASS']='password';
header("Location: testing/index.htm");
}else{
header("WWW-Authenticate: Basic realm =\"My Login\"");
header("HTTP/1.0 401 Unauthorized");
echo("I don't think so...");
exit;
}
?>
Now, the 'user' and 'password' values that I pass the $SERVER['PHP_AUTH_USER'] and $SERVER['PHP_AUTH_PASS'] variables are the single user name and password in the .htacess file - I don't want to have to go into the file to add a valid user/pass everytime someone signs up to view the Flash files.
However, when the header is sent, I am taken to correct page and the http authentication pop-up appears. This is what I'm trying to get around.
I'm obviously missing something - probably something very simple - but it's just not working and not making sense. Someone, please give me a swift kick the head. Please?
