Need Advice on PHP and user auth w/ a DB

Anon

Hopefully you (or someone else in the universe) can help me..

I want to create a PHP application that can authenticate users from a webpage using a database. Here is what I have in mind and what I think needs to be done..

Lets make believe (like mr. rogers) that I have a table named 'users' and this table has these fields:

name, age, sex (cool), username, password, and accesslevel (which will be a 0 or 1).

I am thinking that i want to have a default user in the database field 'username' named 'admin' and 'admin' will have an access level of 0 (zero). All other users will have an access level of 1 (so they are defined as a user and not an admin).

They will log in and username is checked against the db to make sure that user exists and then verifies the password and then if password is correct.. a session will be created for the user to start using the website.

Is THIS the way most sites are done, or do i have the wrong idea? What is a better way? What are my options?

I need an admin to make other users 'admin' if i want them to update a dynamic news piece of the site.. (in other words the admin has the power (of greyskull - forget it..its a He-Man thing) to give other users 'admin' rights via the accesslevel in the database..

Give me some good ideas dudes and dudettes!

Thanks..
-Buzzlightyear
To Infinity and Beyond..

Anon

I HAAAAVVVVEEE THE POOOOOWWWWEEEEERRRRR!!!

Except I don't have the power to write the whole script for you. You've got the right idea, now come up with some code and come back with specific questions and we'll try to answer them.

If you're using Apache, there is a mod_auth_mysql module that will authenticate against a mysql database using .htaccess. It might be worth looking into it. Go to www.apachetoday.com and search for authentication. There are some articles on Apache Authentication. Part III is what you want to explain mod_auth_mysql.

---John Holmes...

Anon

I really dont want to use .htaccess because the site will have users coming back to the main page with specific data/options for them created for them on the main page based on session data. Correct me if im wrong but .htacces is used on a server as mean to authenticate a specific user / group of users to gain additional access to other resources on the server.

I want a database to do the authentication for me. However, the problem i seem to have in the design is the accesslevels that i hypothetically created in the database (see the earlier thread of this forum message).

But i guess the big question of the universe of software development is, should i handle things this way, or should i use a DB user/name and password and have the authentivation code check username/password from the page against specific users with grant access that are in the DB..?

I think im leaning toward just creating user admin and giving that admin an accesslevel and working the application as this. (see the earlier post). Otherwise hopefully someone can rescue me and give me the RightWay(tm) of doing it.

-Buzzlightyear
To Infinity and Beyond...

Anon

I've used something that may get you started...

http://pccs-linux.com/phplinux/simpleauthfunction.html

Anon

Give this a go (off the top of my head so dunno if it actual works as written) ...

:: copyright jonbo (2001) from mitiaro
:: need a holiday? visit the Cook Islands
:: www.deij.co.nz

--- backender file ---

<?
class jahman (

var $server	= blah;
var $password	= blah;
var $database	= blah;

var $secret	= "Kia Orana, Kia Manuia";

function login_check ($username, $password){
	// blah ... can't be bothered writing the db stuff (read the manual) ;0)
	if (!=){
		return "bugger off!";
	}else{

		$key	= md5($username.$this->secret);
		$hash	= md5($key.$this->secret);
		return ($hash, $key);
	}

}

function logged ($hash, $key){

	$check_key	= md5($key.$this->secret);
	if ($check_key == $hash){
		return 1;
	}else{
		return 2;
	}

}

}
?>

----- login page ----

----- login.php ----

<?
$check_it = $jahman->login_check($username, $password);

if (!is_array($check_it)){
	echo "failed to enter";
}else{
	$hash	= $check_it[0];
	$key	= $check_it[1];

	session_id($hash);

	session_start();

	global $hash, $key;

	session_register("hash");
	session_register("key");

	header("Location: /kiaorana/");
}

---- protected page ---

<?
session_start();

	global $hash, $key;

	session_register("hash");
	session_register("key");

$is_logged = $jahman->logged($hash, $key);

if (is_logged != 2){
	header("Location: /kare/");
}