HTTP_AUTH and SQL WHERE Clause

Hey Folks,=20
I am having trouble with some variables the $HTTP_AUTH_USER and $HTTP_AUTH_=
PW - now im useing PHP 4.3.3 and so i know that you have to use $_SERVER['H=
TTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] instead of the old way now. We=
ll i am having trouble with this script i have created to authenticate user=
name and password and verify against a postgresql database below.=20

$auth =3D false; // Assume user is not authenticated=20

if (isset( $_SERVER['PHP_AUTH_USER'] ) && isset($_SERVER['PHP_AUTH_PW'])) {=
=20

// Connect to MySQL=20

pg_pconnect("host=3D172.18.204.64 port=3D5432 dbname=3Dacquisuite_db user=
=3Dpgadmin password=3Dpgadmin") or die ( 'Unable to connect to server.' );=
=20

// Select database on MySQL server=20

// mysql_select_db( 'your_db' )=20
// or die ( 'Unable to select database.' );=20

// Formulate the query=20

$sql =3D ("SELECT * FROM tbl_authenticate WHERE username =3D '$PHP_AUTH_USE=
R' AND password =3D '$PHP_AUTH_PW'");=20

// Execute the query and put results in $result=20

$result =3D pg_exec( $sql )=20
or die ( 'Unable to execute query.' );=20

// Get number of rows in $result.=20

$num =3D pg_num_rows( $result );=20

if ( $num !=3D 0 ) {=20

// A matching row was found - the user is authenticated.=20

$auth =3D true;=20

}=20

}=20

The Problem is on the $sql line when i put in the string to do the Query wi=
th the WHERE clause having the $HTTP_AUTH_USER and $HTTP_AUTH_PW. When i ch=
ange it to '$_SERVER['HTTP_AUTH_USER']' and '$_SERVER['HTTP_AUTH_PW']' it d=
oes not work and i get a parse error.=20
How can i get around this?=20
does anyone have any ideas for me.=20
Thanks=20

Cameron Seader
CSeader@Idahopower.com



[INFO] -- Access Manager:
This transmission may contain information that is privileged, confidential =
and/or exempt from disclosure under applicable law. If you are not the int=
ended recipient, you are hereby notified that any disclosure, copying, dist=
ribution, or use of the information contained herein (including any relianc=
e thereon) is STRICTLY PROHIBITED. If you received this transmission in err=
or, please immediately contact the sender and destroy the material in its e=
ntirety, whether in electronic or hard copy format. Thank you. A2



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

Re: HTTP_AUTH and SQL WHERE Clause

Cameron......

> I am having trouble with some variables the $HTTP_AUTH_USER and
> $HTTP_AUTH_PW - now im useing PHP 4.3.3 and so i know that you have to
> use $_SERVER['HTTP_AUTH_USER'] and $_SERVER['HTTP_AUTH_PW'] instead of
> the old way now. Well i am having trouble with this script i have
> created to authenticate user name and password and verify against a
> postgresql database below.

Maybe someone else knows why, but I've had similiar problems. What I do
now as a matter of course is to copy the php environment variables I want
to use over into regular variables in the begining of the script.

Also for debugging you could print them out early on, before using them
and see what values they hold.

later....

brew



---------------------------(end of broadcast)---------------------------
TIP 7: don't forget to increase your free space map settings

Re: HTTP_AUTH and SQL WHERE Clause

> $sql = ("SELECT * FROM tbl_authenticate WHERE username =
> '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'");
>

There's no need for the parens around the quoted value.

> The Problem is on the $sql line when i put in the string to do
> the Query with the WHERE clause having the $HTTP_AUTH_USER and
> $HTTP_AUTH_PW. When i change it to '$_SERVER['HTTP_AUTH_USER']'
> and '$_SERVER['HTTP_AUTH_PW']' it does not work and i get a parse error.

So the new assignment looks like this:

$sql= "SELECT * FROM tbl_authenticate WHERE username =
'$_SERVER['HTTP_AUTH_USER']' AND password = '$_SERVER['HTTP_AUTH_PW']'";

The problem is that PHP doesn't know what you are trying to do here.
"'$_SERVER['HTTP_AUTH_PW']'" could mean "'(the value of
$_SERVER)['HTTP_AUTH_PW']'" or what you intend. To get around that you need
to enclose array elements (as well as other complex type structures like
$myObject->property ) with braces (or place them outside the quoted value.

The former:

$sql= "SELECT * FROM tbl_authenticate WHERE username =
'{$_SERVER['HTTP_AUTH_USER']}' AND password = '{$_SERVER['HTTP_AUTH_PW']}'";

and the later:

$sql= "SELECT * FROM tbl_authenticate WHERE username =
'".$_SERVER['HTTP_AUTH_USER']."' AND password =
'".$_SERVER['HTTP_AUTH_PW']."'";

I prefer the later since it's a bit easier to read IMO.

HTH
Rod



---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?

http://archives.postgresql.org

Re: HTTP_AUTH and SQL WHERE Clause

--=-cTSnyfLn8GkAlzqamC0d
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> The former:
>=20
> $sql=3D "SELECT * FROM tbl_authenticate WHERE username =3D
> '{$_SERVER['HTTP_AUTH_USER']}' AND password =3D '{$_SERVER['HTTP_AUTH_PW'=
]}'";
>=20
> and the later:
>=20
> $sql=3D "SELECT * FROM tbl_authenticate WHERE username =3D
> '".$_SERVER['HTTP_AUTH_USER']."' AND password =3D
> '".$_SERVER['HTTP_AUTH_PW']."'";
>=20
> I prefer the later since it's a bit easier to read IMO.

Another alternative:

$sql =3D << SELECT *=20
FROM tbl_authenticate
WHERE username =3D '%s'
AND password =3D '%s';
END

$psql =3D sprintf($sql, pg_escape_string($_SERVER['HTTP_AUTH_USER']),
pg_escape_string($_SERVER['HTTP_AUTH_PW']));


--=-cTSnyfLn8GkAlzqamC0d
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQA/du+R6DETLow6vwwRAs3dAJ4paJmoLUWZYfXgUhIZCdLqyhSnzwCd Flby
soG0mjq1TlPK3PRO+qif66g=
=XXOW
-----END PGP SIGNATURE-----

--=-cTSnyfLn8GkAlzqamC0d--