IST210 1

Database Access Control

IST210 2

Why Implementing User Authentication?

• Remove a lot of redundancies in duplicate inputs of database information– Your shipping address on Amazon.com

• A safety-concerned implementation– Your credit card information on Amazon.com

IST210 3

Is User Information Safe Here?

• Access to the PHP codes– Account management in web server

• Access to the database– Account management in database server

Client (PC) Web Server DBMSEach client uses his/her own website account/password to access the website

Website administrator manages all website accounts, and uses his/her own database account/password to access the database server

Database server administrator manages all database accounts.

User Access Control in Your Service

• Allow only registered users to access information.– User ID and password– Get access to PHP codes, which can then visit

database servers.

• Need a user table to manage all users• Need an authentication procedure to verify

the identify.

IST210 5

User Authentication Example

http://my.up.ist.psu.edu/zuz22/login/login.php

login.phpsignup.php

main.phpprofile.php

IST210 6

Run the Sample Code: Step 1

• Download login.zip from course website• Unzip it, copy and paste the login folder to

your webspace

IST210 7

Run the Sample Code: Step 2

• To use the PHP codes, you must have the following two tables in your database– auth_users: userid and password– Userprofile: user information

• Execute the createTables.sql in Microsoft SQL Management Studio to create these two tables

IST210 8

Run the Sample Code: Step 3• Add your database information in the

authentication.inc file

Input your own information

• Visit http://my.up.ist.psu.edu/yourPSUID/login/login.php and create an account for yourself

Run the Sample Code: Step 4

• Log into your SQL Server and check if your personal information has been stored in the database

Password is encrypted:http://en.wikipedia.org/wiki/MD5

IST210 10

Run the Sample Code: Step 5

• Look into the php files:– Which parts of the code you think you are familiar

with?– Which parts are new to you?– Based on these scripts and the comments in them,

can you explain the results you see on your web browser?

What’s New Here?

• Things we have already learned:– HTLM form– Connecting web server and database– SQL Queries

• New components we need to know:1. A separate authentication.inc file to store sensitive

database access information2. User-defined function: authenticateUser($connection,

$loginUserId, $loginPassword)3. PHP sessions

IST210 12

Information Required to Access a Database

• Username• Password• Database server (database host)• Database to access

IST210 13

Question

• Almost every PHP page needs to interact with database• Does that mean sqlUsername and sqlPassword need to be

encoded in every PHP page?• More importantly, Is it safe to put password in many PHP

files?

IST210 14

Solution: A Separate Authentication File

• Authentication.inc

Store information in this authentication file

IST210 15

Using Authentication File

• signup.php

IST210 16

PHP functions

Examples:

$connection = sqlsrv_connect( $hostName, $connectionInfo )

authenticateUser($connection, $loginUserId, $loginPassword)

IST210 17

Why Do We Need Functions?

• A large program may need to carry out the same task repeatedly– PHP example: sending a query to SQL server

• You don’t want to duplicate the codes every time when the task is executed– Prone to error– Code complexity• Modularized design is easy to maintain

IST210 18

Types of Functions

• System functions– Built-in functions provided by systems• phpinfo(), sqlsrv_connect(), sqlsrv_query(), …

• User-defined function– Cannot find a function to suit for your need– Do it yourself

User-Defined Function: Example

To learn more about PHP functions, read the slides on the course website and do the exercises.

PHP Sessions

• Try http://my.up.ist.psu.edu/yourPSUID/login/profile.php– Log in and visit– Close the tab and visit – Log out and visit– Close the browse and visit

• Read the code in profile.php. Can you explain the results you see?

IST210 21

PHP Sessions

• Once a user logs in, should you ask him to log into every time he refreshes the page?– Does facebook require you to log in every time you refresh

the page?– NO!

IST210 22

Start a PHP Session

• session_start();– This function registers this session with the web

server and gets a UID for the session– This function initializes the $_SESSION array to

store data.

IST210 23

In-Class Exercise 1: Step 1

<?phpsession_start();

$_SESSION['userID'] = 'your PSU ID';

echo "Create a session variable<br>";echo $_SESSION['userID'];?>

Create file1.php in your webspace with this content:

IST210 24

In-Class Exercise 1: Step 2

<?phpsession_start();

echo "Access the session variable <br>";echo $_SESSION['userID'];?>

Create file2.php with this content:

In-Class Exercise 1: Step 3

• Close the browser• Open the browser.• Access the second PHP file that obtains session

variables and see what you can get.• Access the first PHP file and then the second

PHP file. • Hint: Try the following:– http://my.up.ist.psu.edu/zuz22/file1.php– http://my.up.ist.psu.edu/zuz22/file2.php

IST210 26

Key Issues in Session Control

• Use session_start() in every php file that needs access to session variables– This function registers the session with the web server and gets a unique ID

• Session variables are stored in an array named as $_SESSION – You can specify array index and values as $_SESSION['variable_name' ]

= value

• Session variables are super global– Three variable types in PHP: local, global, session variables– Session variables can last forever, unless

• You delete them, or system sets a life span for them

• Close the session after all business is finished– session_destroy();