312 Chapter 14 Implementing Authentication with PHP and MySQL Listing 14.9 .htaccess—This .htaccess File Authenticates Users Against a MySQL Database ErrorDocument 401 /chapter14/rejection.html AuthName "Realm Name" AuthType Basic Auth_MySQL_DB auth Auth_MySQL_Encryption_Types MySQL Auth_MySQL_Password_Table auth Auth_MySQL_Username_Field name Auth_MySQL_Password_Field pass require valid-user You can see that much of Listing 14.9 is the same as Listing 14.7.We are still specifying an error document to display in the case of error 401 (when authentication fails).We again specify basic authentication and give a realm name. As in Listing 14.7, we will allow any valid, authenticated user access. Because we are using mod_auth_mysql and did not want to use all the default set- tings, we have some directives to specify how this should work. Auth_MySQL_DB, Auth_MySQL_Password_Table, Auth_MySQL_Username_Field, and Auth_MySQL_Password_Field specify the name of the database, the table, the username field, and the password field, respectively. We are including the directive Auth_MySQL_Encryption_Types to specify that we want to use MySQL password encryption. Acceptable values are Plaintext, Crypt_DES, or MySQL. Crypt_DES is the default, and uses standard UNIX DES–encrypted passwords. From the user perspective, this mod_auth_mysql example will work in exactly the same way as the mod_auth example. She will be presented with a dialog box by her Web browser. If she successfully authenticates, she will be shown the content. If she fails, she will be given our error page. For many Web sites, mod_auth_mysql is ideal. It is fast, relatively easy to implement, and allows you to use any convenient mechanism to add database entries for new users. For more flexibility, and the ability to apply fine-grained control to parts of pages, you might want to implement your own authentication using PHP and MySQL. Creating Your Own Custom Authentication We have looked at creating our own authentication methods including some flaws and compromises and using built-in authentication methods, which are less flexible than writing your own code. Later in the book, when we have covered session control, you will be able to write your own custom authentication with fewer compromises than in this chapter. 18 525x ch14 1/24/03 3:37 PM Page 312 313 Next In Chapter 20,“Using Session Control in PHP,” we will develop a simple user authentication system that avoids some of the problems we have faced here by using ses- sions to track variables between pages. In Chapter 24,“Building User Authentication and Personalization,” we apply this approach to a real-world project and see how it can be used to implement a fine grained authentication system. Further Reading The details of HTTP authentication are specified by RFC 2617, which is available at http://www.rfc-editor.org/rfc/rfc2617.txt The documentation for mod_auth, which controls basic authentication in Apache, can be found at http://www.apache.org/docs/mod/mod_auth.html The documentation for mod_auth_mysql is inside the download archive. It is a tiny download, so even if you just want to find out more about it, downloading the archive to look at the readme is not silly. Next The next chapter explains how to safeguard data at all stages of processing from input, through transmission, and in storage. It includes the use of SSL, digital certificates, and encryption. 18 525x ch14 1/24/03 3:37 PM Page 313 18 525x ch14 1/24/03 3:37 PM Page 314 15 Implementing Secure Transactions with PHP and MySQL IN THIS CHAPTER ,WE WILL EXPLAIN HOW to deal with user data securely from input, through transmission, and in storage.This will allow us to implement a transaction between us and a user securely from end to end.Topics include n Providing secure transactions n Using Secure Sockets Layer (SSL) n Providing secure storage n Why are you storing credit card numbers? n Using encryption in PHP Providing Secure Transactions Providing secure transactions using the Internet is a matter of examining the flow of information in your system and ensuring that at each point, your information is secure. In the context of network security, there are no absolutes. No system is ever going to be impenetrable. By secure we mean that the level of effort required to compromise a sys- tem or transmission is high compared to the value of the information involved. If we are to direct our security efforts effectively, we need to examine the flow of information through all parts of our system.The flow of user information in a typical application, written using PHP and MySQL, is shown in Figure 15.1. 19 525x ch15 1/24/03 3:41 PM Page 315 316 Chapter 15 Implementing Secure Transactions with PHP and MySQL Figure 15.1 User information is stored or processed by the following ele- ments of a typical Web application environment. The details of each transaction occurring in your system will vary, depending both on your system design and on the user data and actions that triggered the transaction.You can examine all of these in a similar way. Each transaction between a Web application and a user begins with the user’s browser sending a request through the Internet to the Web server. If the page is a PHP script, the Web server will delegate processing the page to the PHP engine. The PHP script might read or write data to disk. It might also include() or require() other PHP or HTML files. It will also send SQL queries to the MySQL dae- mon and receive responses.The MySQL engine is responsible for reading and writing its own data on disk. This system has three main parts: n The user’s machine n The Internet n Your system We will look at security considerations for each separately, but obviously the user’s machine and the Internet are largely out of your control. The User’s Machine From our point of view, the user’s machine is running a Web browser.We have no con- trol over other factors such as how securely the machine is set up.We need to bear in mind that the machine might be very insecure or even a shared terminal at a library, school, or café. Many different browsers are available, each having slightly different capabilities. If we only consider recent versions of the most popular two browsers, most of the differences between them only affect how HTML will be rendered and displayed, but there are security or functionality issues that we need to consider. User’s Browser Stored Pages & Scripts Web Server Data Files PHP Engine MySQL Data MySQL Engine Internet 19 525x ch15 1/24/03 3:41 PM Page 316 . Name" AuthType Basic Auth _MySQL_ DB auth Auth _MySQL_ Encryption_Types MySQL Auth _MySQL_ Password_Table auth Auth _MySQL_ Username_Field name Auth _MySQL_ Password_Field pass require valid-user You can see that. should work. Auth _MySQL_ DB, Auth _MySQL_ Password_Table, Auth _MySQL_ Username_Field, and Auth _MySQL_ Password_Field specify the name of the database, the table, the username field, and the password. typical application, written using PHP and MySQL, is shown in Figure 15.1. 19 525x ch15 1/24/03 3:41 PM Page 315 316 Chapter 15 Implementing Secure Transactions with PHP and MySQL Figure 15.1 User information