292 Chapter 13 E-commerce Security Issues Occasional brief power failures are a fact of life in most places. In locations with harsh weather and above ground wires, long failures occur regularly. If the continuous operation of your systems is important to you, you should invest in an uninterruptible power supply (UPS). A UPS that will power a single machine for 10 minutes will cost less than $300 (U.S.).Allowing for longer failures, or more equipment, can get expensive. Long power failures really require a generator to run air conditioning as well as computers. Like power failures, network outages of minutes or hours are out of your control and bound to occur occasionally. If your network is vital, it makes sense to have connections to more than one Internet service provider. It will cost more to have two connections, but should mean that, in case of failure, you have reduced capacity rather than becoming invisible. These sorts of issues are some of the reasons you might like to consider co-locating your machines at a dedicated facility. Although one medium-sized business might not be able to justify a UPS that will run for more than a few minutes, multiple redundant net- work connections, and fire suppression systems, a quality facility housing the machines of a hundred similar businesses can. Next In Chapter 14, we will look specifically at authentication—allowing your users to prove their identity.We will look at a few different methods, including using PHP and MySQL to authenticate your visitors. 17 525x ch13 1/24/03 3:37 PM Page 292 14 Implementing Authentication with PHP and MySQL THIS CHAPTER WILL DISCUSS HOW TO IMPLEMENT various PHP and MySQL techniques for authenticating a user. Topics include n Identifying visitors n Implementing access control n Basic authentication n Using basic authentication in PHP n Using Apache’s .htaccess basic authentication n Using basic authentication with IIS n Using mod_auth_mysql authentication n Creating your own custom authentication Identifying Visitors The Web is a fairly anonymous medium, but it is often useful to know who is visiting your site. Fortunately for visitors’ privacy, you can find out very little about them with- out their assistance. With a little work, servers can find out quite a lot about computers and networks that connect to them. A Web browser will usually identify itself, telling the server what browser, browser version, and operating system you are running.You can determine what resolution and color depth visitors’ screens are set to and how large their Web browser windows are. 18 525x ch14 1/24/03 3:36 PM Page 293 294 Chapter 14 Implementing Authentication with PHP and MySQL Each computer connected to the Internet has a unique IP address. From a visitor’s IP address, you might be able to deduce a little about her.You can find out who owns an IP and sometimes have a reasonable guess as to a visitor’s geographic location. Some addresses will be more useful than others. Generally people with permanent Internet connections will have a permanent address. Customers dialing into an ISP will usually only get the temporary use of one of the ISP’s addresses.The next time you see that address, it might be being used by a different computer, and the next time you see that visitor, she will likely be using a different IP address. Fortunately for Web users, none of the information that their browsers give out identifies them. If you want to know a visitor’s name or other details, you will have to ask her. Many Web sites provide compelling reasons to get users to provide their details.The New York Times newspaper (http://www.nytimes.com) provides its content for free, but only to people willing to provide details such as name, sex, and total household income. Nerd news and discussion site Slashdot (http://www.slashdot.org) allows registered users to participate in discussions under a nickname and customize the interface they see. Most e-commerce sites record their customers’ details when they make their first order.This means that a customer is not required to type her details every time. Having asked for and received information from your visitor, you need a way to asso- ciate the information with the same user the next time she visits. If you are willing to make the assumption that only one person visits your site from a particular account on a particular machine and that each visitor only uses one machine, you could store a cookie on the user’s machine to identify the user.This is certainly not true for all users— frequently, many people share a computer and many people use more than one comput- er. At least some of the time, you will need to ask a visitor who she is again. In addition to asking who a user is, you will also need to ask a user to provide some level of proof that she is who she claims to be. As discussed in Chapter 13,“E-commerce Security Issues,” asking a user to prove her identity is called authentication.The usual method of authentication used on Web sites is asking visitors to provide a unique login name and a password. Authentication is usually used to allow or disallow access to particular pages or resources, but can be optional, or used for other purposes such as personalization. Implementing Access Control Simple access control is not difficult to implement.The code shown in Listing 14.1 delivers one of three possible outputs. If the file is loaded without parameters, it will dis- play an HTML form requesting a username and password.This type of form is shown in Figure 14.1. 18 525x ch14 1/24/03 3:36 PM Page 294 295 Implementing Access Control Figure 14.1 Our HTML form requests that visitors enter a username and password for access. If the parameters are present but not correct, it will display an error message. Our error message is shown in Figure 14.2. Figure 14.2 When users enter incorrect details, we need to give them an error message. On a real site, you might want to give a somewhat friendlier message. If these parameters are present and correct, it will display the secret content. Our test content is shown in Figure 14.3. The code to create the functionality shown in Figures 14.1, 14.2, and 14.3 is shown in Listing 14.1. 18 525x ch14 1/24/03 3:36 PM Page 295 296 Chapter 14 Implementing Authentication with PHP and MySQL Figure 14.3 When provided with correct details, our script will display content. Listing 14.1 secret.php—PHP and HTML to Provide a Simple Authentication Mechanism <?php //create short names for variables @ $name = $HTTP_POST_VARS['name']; @ $password = $HTTP_POST_VARS['password']; if(empty($name)||empty($password)) { //Visitor needs to enter a name and password ?> <h1>Please Log In</h1> This page is secret. <form method="post" action="secret.php"> <table border="1"> <tr> <th> Username </th> <td> <input type="text" name="name"> </td> </tr> <tr> <th> Password </th> <td> <input type="password" name="password"> </td> </tr> <tr> <td colspan="2" align="center"> <input type="submit" value="Log In"> </td> </tr> </table> </form> 18 525x ch14 1/24/03 3:36 PM Page 296 . using PHP and MySQL to authenticate your visitors. 17 525x ch13 1/24/03 3:37 PM Page 292 14 Implementing Authentication with PHP and MySQL THIS CHAPTER WILL DISCUSS HOW TO IMPLEMENT various PHP and. with PHP and MySQL Figure 14.3 When provided with correct details, our script will display content. Listing 14.1 secret .php PHP and HTML to Provide a Simple Authentication Mechanism < ?php //create. with PHP and MySQL Each computer connected to the Internet has a unique IP address. From a visitor’s IP address, you might be able to deduce a little about her.You can find out who owns an IP and