header, $PHP_AUTH_USER can't work !

Anon

hi,

i found that HTTP header,$PHP_AUTH_USER and $PHP_AUTH_PW can't work on Window Apache. do i need to modify anything in conf file??
any one there can give me some advices?

Thank you

Anon

cK,

I'm afraid I'm out of my element on the Apache side of things, running IIS under NT4 SP5, but one thing I DO know on the IIS side is that the authentication features ($PHP_AUTH_USER, etc.) do NOT work under IIS unless you are using the ISAPI module, as opposed to the CGI (.exe) version.

I would suggest if you aren't doing so already to make sure you are using the Apache PHP module and NOT the CGI version, as it is likely the same holds true for Apache. It would make sense, as there is no easy mechanism by which the CGI version could get that information from the webserver, whereas the Apache/ISAPI modules could (being part of the webserver in essence, allowing 2-way communication).

In fact, I just checked the PHP online manual ( http://www.php.net/manual ) and found that in "Chapter 17. HTTP authentication with PHP"

http://www.php.net/manual/features.http-auth.php

the first line states "The HTTP Authentication hooks in PHP are only available when it is running as an Apache module and is hence not available in the CGI version."

So I'd start by looking at that. More than that and I'm afraid I'll have to turn you over to the Apaches out there. :-)

skissiks

Frank,

Thanks for your helpful post...

Let me get this straight, since I am using php4 as a cgi on my IIS 5.0 on Win2k, I cannot authenticate to a mysql database and serve up customizeable pages to a user? and this is because php requries using the isapi install instead of the cgi?

i'm a newbie and have successfully created simple guestbooks, writetofile scripts, etc.., connecting to databases with the default 'localhost' or 'ip' and no username/no password without any hitches.

i am at the point where i want to create users with unique profiles, but it sounds like this is not possible with my current install...

any ideas are welcome...

thanks!

mej!A

fseesink

mej!A,

No no, you should be fine. The original issue involved the use of $PHP_AUTH_USER and $PHP_AUTH_PW. These are two special variables which contain the results of an HTTP authentication session. That's when you get that popup window in your browser asking you for a username and password. For details, read the official details at

http://www.php.net/manual/en/features.http-auth.php

and there's a relatively good article by Julie Melonie at

http://www.thickbook.com/extra/wm01redir.phtml

As long as you do not use HTTP authentication as the means by which you obtain the username/password for your users (most sites don't), you have nothing to worry about. For example, this site (PHPbuilder.com), slashdot.org, etc., they all have user logins with customizable pages, and none of them use HTTP authentication.

From the sound of it, you want to do something similar to these sites. As long as you obtain your usernames/passwords via something like basic HTML forms, you're fine. Does that make sense?

As a sidenote, when creating such sites, you normally do not have a separate MySQL database for each user. Rather, you setup one MySQL database to store all the relevant information about your users. For example, you might have

TABLE_TOPICS
| TopicName |

TABLE_USERPREFS
| Username | TopicName |

This is a single MySQL database with 3 simple tables in it. You then have the username/password you use to connect to the database. This you code into your PHP, as the users will/should never see it. Then you create appropriate webpage forms where users fill in their username/password, and when they submit the form, it goes to a PHP file that takes that form data, opens a connection to the MySQL database, validates the user against the TABLE_USER table, and so on.

For tutorials on all this, there are many excellent examples here on PHPbuilder.com, as well as others on sites like

http://www.php.net/manual/ (the official PHP manual)
http://www.zend.com (see tutorial section, tips section, and others)
http://www.thickbook.com (see tutorial section)
http://www.hotscripts.com/PHP

and a ton of other sites I'm sure I'm overlooking. But to put it plainly, no, you should not have a problem doing user authentication and customized pages running Windows 2000/IIS5 with the PHP CGI version.

ONLY if you use HTTP authentication (which I probably wouldn't recommend anyway) do you have a problem. As I explained, this is authentication done at the webserver level. To give a quick synopsis, when dealing with CGI versions of server-side scripting languages, the scenario is basically:

Webserver gets request for xxx.php
Webserver checks its mappings of file extensions and sees that whenever it is asked for .php files, instead of simply returning such a file, the webserver should fire up a separate executable (the PHP engine), feed the .php file to that executable, and then take any output and return that to the browser.

Now note that when HTTP authentication occurs, this authentication process is done directly between the webserver and the web browser. A popup window appears on the browser asking you to type in your username/password. When you do, this information is given to the webserver. Since the PHP CGI engine is a separate executable, it does not "tie in" as it were to the webserver, so it has no way of knowing what was typed in.

The IIS ISAPI module and the Apache module are different. They are not standalone executables. Instead, they are like plugins or puzzle pieces if you will (think extensions if you're a Mac user). These modules "hook into" the webserver, becoming part of its operation as soon as it fires up. As such, it's a little like a Borg mindset. Since the module is hooked into the webserver, it has more access to what the webserver is doing and vice versa.

As for the details of this, you'd better ask the real programmers. But this analogy at the level of server-side scripting, if this makes sense it's all you really need to know. The main difference between CGI versions and modules then is basically this:

CGI versions are like command-line utilities. They are separate programs which often can stand on their own. In fact, the PHP CGI version can be used at a DOS command prompt, and it's quite interesting to see what it outputs. As separate programs, they need to be fired up EACH time a PHP file is requested. That is, each time such a page is requested, it's as if you had to run a program, process some data, print out the answer, then shutdown the application. This means loading the PHP engine into memory, running the program, and then unloading it from memory.

Modules hook into the webserver, becoming part of the webserver in essence. This means the webserver itself is a little bit larger in footprint (uses more RAM, etc.), but since the module is already loaded in memory, any time a PHP file is requested, the file is fed to the module--which is ready to go already--and what you have is far more efficient processing.

That is why, when possible, people run the modules vs. the CGI versions. Unfortunately, the folks at PHP still list the ISAPI module as not being production-level, and they encourage serious users running IIS to stick to the CGI for production level stuff. As such, I too run just the CGI version right now, though my reasons are more due to the session problems in the ISAPI modules (and, for that matter, every version of PHP after 4.0.3pl1). If you plan to use PHP4's session features, I would stick to 4.0.3pl1 for now (though your mileage may vary).

Hope that helps.

skissiks

Frank,

Thanks a lot for your reply! That's just what I needed to begin my weekend!

I have not had a chance to read the whole thing yet, but I will when I get started on my developing from home tonight.

I've been good about studying my RDMS theory, but I'm always open to knowing about publications and websites with good MySQL info. I'm also open to bantering with seasoned pros on the matter as well... Same goes for PHP too. 🙂

Thanks again, Frank. I certainly appreciate your response!

mej!A

skissiks

Frank (or anyone else!),

i've been messing around with authenticating a user to my database, situated similarly to how you suggested to build it in your post above, but i cannot seem to get the users authenticated.

i certainly don't expect anyone to write a script for me here, but can someone give me an idea as to how the sytax will read?

the following is the generic connect script i use on my intranet server (insecure):
<?php
mysql_connect('localhost', '', '') or die ("sorry, no mysql connect possible");
mysql_select_db ('auth') or die ("sorry, no db connect possible");
?>

when connecting to write suggestion box information, guestbook info, etc, i have no problems with this simple setup. but after creating a user, creating a 'login' page for that user to return that user's customized page, no go.

thanks for any help you can offer!

mej!A
:wq