Professional Web Applications Themes

Passwording a MySQL Database - PHP Development

I have a PHP query for a MySQL database that I'd like to restrict access to. It's linked from a .htm webpage with other links on a company intranet site. Does anyone know of any PHP code examples on the net to perform such a task? I have to think it's a pretty common application for passwording in PHP. thanks, Chris...

  1. #1

    Default Passwording a MySQL Database

    I have a PHP query for a MySQL database that I'd like to restrict
    access to. It's linked from a .htm webpage with other links on a
    company intranet site.

    Does anyone know of any PHP code examples on the net to perform such a
    task? I have to think it's a pretty common application for
    passwording in PHP.

    thanks,
    Chris
    Chris Guest

  2. #2

    Default Re: Passwording a MySQL Database

    >I have a PHP query for a MySQL database that I'd like to restrict 

    Restrict based on *WHAT*? IP address the client is connecting
    from, username/password, SSL certificates, retinal eye scanner,
    something else?

    Gordon L. Burditt
    Gordon Guest

  3. #3

    Default Re: Passwording a MySQL Database

    Gordon Burditt wrote: 
    >
    >
    > Restrict based on *WHAT*? IP address the client is connecting
    > from, username/password, SSL certificates, retinal eye scanner,
    > something else?
    >
    > Gordon L. Burditt[/ref]
    LOL nice gordon,
    I think if its a "feature" you only want a "site admin" to access the
    best option would be to drop the query in a file... "admin.php" and put
    it in a directory "admin" where by you use .htacess to password up the
    directory.

    An example of what your trying to do chris might help a little bit more :)

    Cheers
    Rob
    Rob Guest

  4. #4

    Default Re: Passwording a MySQL Database

    Gordon Burditt wrote: 
    >
    >
    > Restrict based on *WHAT*? IP address the client is connecting
    > from, username/password, SSL certificates, retinal eye scanner,[/ref]

    (off topic, just ignore :)

    Retinal eye scanner is one of the few areas that doesn't have built-in
    functions in PHP. Almost everything else is covered... should you send a
    bug report? ;p


    -veikko

    --
    veikko
    mail .com
    makinen
    Veikko Guest

  5. #5

    Default Re: Passwording a MySQL Database

    On Thu, 28 Jul 2005 11:51:06 +0000 (UTC), Rob
    <rob..no.spam.please.tbswebdesign.com> wrote:
     
    >>
    >>
    >> Restrict based on *WHAT*? IP address the client is connecting
    >> from, username/password, SSL certificates, retinal eye scanner,
    >> something else?
    >>
    >> Gordon L. Burditt[/ref]
    >LOL nice gordon,
    >I think if its a "feature" you only want a "site admin" to access the
    >best option would be to drop the query in a file... "admin.php" and put
    >it in a directory "admin" where by you use .htacess to password up the
    >directory.
    >
    >An example of what your trying to do chris might help a little bit more :)
    >
    >Cheers
    >Rob[/ref]

    I think you pretty much hit it on the head, Rob. I have a series of
    databases on a dedicated server that are designed to compliment a
    worthless CMMS bringing more data to a group of guys. for now, the
    admin idea would work fine since I'll be the only one accessing 2 of
    those databases but eventually, may free up the access to a small
    group within a department as usable information. At that point,
    either a shared password OR allow known IPs would be effective and
    actually, known IPs may be better in that the extra step of entering
    something would be bypassed. thanks for the replies, gents.
    Chris Guest

  6. #6

    Default Re: Passwording a MySQL Database

    Chris wrote: 
    >>
    >>LOL nice gordon,
    >>I think if its a "feature" you only want a "site admin" to access the
    >>best option would be to drop the query in a file... "admin.php" and put
    >>it in a directory "admin" where by you use .htacess to password up the
    >>directory.
    >>
    >>An example of what your trying to do chris might help a little bit more :)
    >>
    >>Cheers
    >>Rob[/ref]
    >
    >
    > I think you pretty much hit it on the head, Rob. I have a series of
    > databases on a dedicated server that are designed to compliment a
    > worthless CMMS bringing more data to a group of guys. for now, the
    > admin idea would work fine since I'll be the only one accessing 2 of
    > those databases but eventually, may free up the access to a small
    > group within a department as usable information. At that point,
    > either a shared password OR allow known IPs would be effective and
    > actually, known IPs may be better in that the extra step of entering
    > something would be bypassed. thanks for the replies, gents.[/ref]

    Chris... iv come up with this for you...
    This example will give access dependant on the username and password
    entered.
    You can added/delete users from the $users array.

    -----------

    function do_auth()
    {
    $realm = mt_rand(1,1000);
    header('WWW-Authenticate: Basic realm="CMMS Administation ID:
    '.$realm.'"');
    header('HTTP/1.0 401 Unauthorized');
    die("Permission Denied");
    }
    //your access info... user => pass
    $users = array('admin' => 'admin', 'staff' => 'staff');

    if (!isset($_SERVER['PHP_AUTH_USER']))
    {
    do_auth();
    }
    elseif (!isset($_SERVER['PHP_AUTH_PW']))
    {
    do_auth();
    }
    elseif($users[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW'])
    {
    do_auth();
    }
    //if were here... then were logged in successfully :)
    print('Welcome to the control panel
    <b>'.$_SERVER['PHP_AUTH_USER'].'</b>');

    -----------


    This second example give access to ips listed the array $allowed_ips
    hopefully one of these may be of help to you...
    but http auth is not the best method of passwording, all depends on how
    secure you want the protected content to be.


    ---------

    function do_auth()
    {
    $realm = mt_rand(1,1000);
    header('WWW-Authenticate: Basic realm="CMMS Administation ID:
    '.$realm.'"');
    header('HTTP/1.0 401 Unauthorized');
    die("Permission Denied");
    }
    //your access info... user => pass

    $userip = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ?
    $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER["REMOTE_ADDR"];
    $allowed_ips = array('212.100.120.40','212.100.120.41','212.100.1 20.42');
    if(!in_array($userip,$allowed_ips)
    {
    do_auth();
    }
    //if were here... then were logged in successfully :)
    print('Welcome to the control panel <b>'.$userip.'</b>');

    ----------



    Good luck
    *Rob
    Rob Guest

  7. #7

    Default Re: Passwording a MySQL Database

    Rob wrote: 
    >>
    >>
    >>
    >> I think you pretty much hit it on the head, Rob. I have a series of
    >> databases on a dedicated server that are designed to compliment a
    >> worthless CMMS bringing more data to a group of guys. for now, the
    >> admin idea would work fine since I'll be the only one accessing 2 of
    >> those databases but eventually, may free up the access to a small
    >> group within a department as usable information. At that point,
    >> either a shared password OR allow known IPs would be effective and
    >> actually, known IPs may be better in that the extra step of entering
    >> something would be bypassed. thanks for the replies, gents.[/ref]
    >
    >
    > Chris... iv come up with this for you...
    > This example will give access dependant on the username and password
    > entered.
    > You can added/delete users from the $users array.
    >
    > -----------
    >
    > function do_auth()
    > {
    > $realm = mt_rand(1,1000);
    > header('WWW-Authenticate: Basic realm="CMMS Administation ID:
    > '.$realm.'"');
    > header('HTTP/1.0 401 Unauthorized');
    > die("Permission Denied");
    > }
    > //your access info... user => pass
    > $users = array('admin' => 'admin', 'staff' => 'staff');
    >
    > if (!isset($_SERVER['PHP_AUTH_USER']))
    > {
    > do_auth();
    > }
    > elseif (!isset($_SERVER['PHP_AUTH_PW']))
    > {
    > do_auth();
    > }
    > elseif($users[$_SERVER['PHP_AUTH_USER']] != $_SERVER['PHP_AUTH_PW'])
    > {
    > do_auth();
    > }
    > //if were here... then were logged in successfully :)
    > print('Welcome to the control panel
    > <b>'.$_SERVER['PHP_AUTH_USER'].'</b>');
    >
    > -----------
    >
    >
    > This second example give access to ips listed the array $allowed_ips
    > hopefully one of these may be of help to you...
    > but http auth is not the best method of passwording, all depends on how
    > secure you want the protected content to be.
    >
    >
    > ---------
    >
    > function do_auth()
    > {
    > $realm = mt_rand(1,1000);
    > header('WWW-Authenticate: Basic realm="CMMS Administation ID:
    > '.$realm.'"');
    > header('HTTP/1.0 401 Unauthorized');
    > die("Permission Denied");
    > }
    > //your access info... user => pass
    >
    > $userip = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ?
    > $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER["REMOTE_ADDR"];
    > $allowed_ips = array('212.100.120.40','212.100.120.41','212.100.1 20.42');
    > if(!in_array($userip,$allowed_ips)
    > {
    > do_auth();
    > }
    > //if were here... then were logged in successfully :)
    > print('Welcome to the control panel <b>'.$userip.'</b>');
    >
    > ----------
    >
    >
    >
    > Good luck
    > *Rob[/ref]
    sorry p error in 2nd example replace line...

    if(!in_array($userip,$allowed_ips)

    with

    if(!in_array($userip,$allowed_ips))

    ;)
    *Rob
    Rob Guest

  8. #8

    Default Re: Passwording a MySQL Database

    Thanks Rob - appreciate your help VERY much. :-)

    Chris


    On Thu, 28 Jul 2005 16:28:58 +0000 (UTC), Rob
    <rob..no.spam.please.tbswebdesign.com> wrote:
     
    >sorry p error in 2nd example replace line...
    >
    >if(!in_array($userip,$allowed_ips)
    >
    >with
    >
    >if(!in_array($userip,$allowed_ips))
    >
    >;)
    >*Rob[/ref]

    Chris Guest

  9. #9

    Default Re: Passwording a MySQL Database

    Chris wrote: 
    Side note: using .htaccess to secure an area is possible, yet it slows
    down your webserver (assuming we are talking Apache, dunno abt others).
    I'd much rather deal with the auth matter in httpd.conf and set
    allowoverride to none.
    With allowoverride set Apache has to check for .htaccess on EACH request
    it gets, including the ones in the public areas.
    I think it's a trade-off between easier maintenance and performance.
    Where have we seen that before in ICT ?? ;-)

    KR Schraalhans
    Schraalhans Guest

Similar Threads

  1. Replies: 8
    Last Post: May 23rd, 08:48 PM
  2. MySQL Database not retrieving the full database
    By geetha.veeraiah@gmail.com in forum MySQL
    Replies: 4
    Last Post: July 21st, 09:34 PM
  3. Passwording Word Files
    By Flashster in forum Macromedia Director Lingo
    Replies: 8
    Last Post: February 27th, 10:40 AM
  4. Passwording Internet Content Advisor
    By Shayne in forum Windows Setup, Administration & Security
    Replies: 2
    Last Post: July 4th, 09:00 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139