1、简单身份验证
可以使用MySQL来改进原有的身份验证机制,将用户名和密码(以SHA-1哈希算法1加密)数据储存在MySQL数据库中;
<?php
/* 提供简单的身份验证机制的PHP和HTML
* 可以将该脚本的HTML部分独立写在一个HYML文件上面,以方便用css和script对其进行再加工
*/
$name = $_POST['name'];
$password = $_POST['password'];
//当$name和$password没有输入完全时,显示html表单重新键入值
if(!isset($name) || !isset($password)) {
?>
<h1>Please Log In</h1>
<p>This page is secret</p>
<form method="post" action="secret.php">
<p>UseraName:<input type="text" name="name" /></p>
<p>Password:<input type="password" name="password" /></p>
<p><input type="submit" name="submit" value="Log In" /></p>
</form>
<?php
}else if(($name == "user") && ($password == "pass")) {
echo "<h1>Here it is!</h1><p>I bey you are glad you can see this sercet page</p>";
}else{
echo "<h1>Go Away!</h1><p>You are not authorized to use this source</p>";
}
?>
2、使用MySQL数据库储存用户密码数据,同时对密码使用SHA-1算法加密
<?php
$name = $_POST['name'];
$password = $_POST['password'];
if(!isset($name) || !isset($password)){
?>
<h1>Please Log In</h1>
<p>This page is secret</p>
<form method="post" action="secretdb.php">
<p>UseraName:<input type="text" name="name" /></p>
<p>Password:<input type="password" name="password" /></p>
<p><input type="submit" name="submit" value="Log In" /></p>
</form>
<?php
}else{
//连接mysql数据库,并测试连接情况
$mysql = mysqli_connect("localhost","webauth","webauth");
if(!$mysql){
echo "Cannot connect to database.";
exit;
}
//寻找需要的数据库auth
$selected = mysqli_select_db($mysql,"auth");
if(!$selected){
echo "Cannot select database.";
exit;
}
//对auth数据库进行查询操作,使用count()函数对查询到的结果进行计数
$query = "select count(*) from authorized_users
where name = '".$name."' and password = sha1( '".$password."') "; //使用sha1算法对password进行加密;
$result = mysqli_query($mysql,$query);
if(!$result){
echo "Cannot run away";
exit;
}
$row = mysqli_fetch_row($result); //将查询结果包装为一个数组
$count = $row[0];
if($count>0){
echo "<h1>Here it is!</h1><p>I bey you are glad you can see this sercet page</p>";
}else{
echo "<h1>Go Away!</h1><p>You are not authorized to use this source</p>";
}
}
?>
3、使用基本身份验证
(1)
HTTP的基本身份验证:浏览器可以保存用户在站点输入的身份验证信息,只要用户重新打开该站点窗口,它会自动将这些所需的信息重新发送到Web服务器而无需用户介入;
(2)
HTT P1.1的摘要身份验证:使用MD5算法掩饰细节,但是对早期浏览器的支持性较差
(3)HTTP基本身份验证的方法:
PHP方法、Apache方法(《PHP和MySQL Web开发》p301);
PHP方法
<?php
/*php触发http基本身份验证
* */
//当使用IIS时候,要设置$_SERVER['PHP_AUTH_USER']和$_SERVER['PHP_AUTH_PW']
if((substr($_SERVER['SERVER_SOFTWARE'],0,9) == 'Microsoft') && (!isset($_SERVER['PHP_AUTH_USER']))
&& (!isset($_SERVER['PHP_AUTH_PW'])) && (substr($_SERVER['HTTP_AUTHORIZATION'],0,6)=='Basic')){
list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])
= explode(':',base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'],6)));
}
if(($_SERVER['PHP_AUTH_USER'] != 'user') || ($_SERVER['PHP_AUTH_PW'] != 'pass')){
header('WWW-Authenticate:Basic realm="Realm-Name"');
if(substr($_SERVER['SERVER_SOFTWARE'],0,9) == 'Microsoft'){
header('Status:401 Unauthorized');
}else{
header('HTTP/1.0 401 Unauthorized');
}
echo "<h1>Go Away!</h1><p>You are not authorized to use this source</p>";
}else{
echo "<h1>Here it is!</h1><p>I bey you are glad you can see this sercet page</p>";
}
?>
4、创建供secretdb.php用户身份验证所使用的数据库
# create database auth;
#使用数据库
use auth;
#创建表(定义字段名和格式)
create table authorized_users(name varchar(20),
password varchar(40), #使用SHA-1加密后的字符串一般是40位
primary key (name)); #设置主键name
#插入行数据
insert into authorized_users values('user1',sha1('pass1')); #使用sha1函数对password字段进行加密
insert into authorized_users values('user2',sha1('pass2'));
#对数据库使用者进行授权
grant select on auth.*
to 'webauth'
identified by 'webauth';
flush privileges; #更新权限