Location: PHPKode > scripts > phpMyAccess > phpmyaccess-1.5.3/phpmyaccess/auth.inc.php
<?php

/*
 * When messing around with the header stuff, be aware there is a problem
 * with that if you even send out one byte before the header data.
 * Be carefull about using echo, printf etc. as they can make this bit fail completely.
 */

function authGet($realm) {
    Header("WWW-Authenticate: Basic realm=\"$realm\"");
    Header("HTTP/1.0 401 Unauthorized");
}

function authValidateUser($db, $user, $pass ) {
    // Check if we have a username/password yet, otherwise get them
    if(empty($user) || empty($pass))  {
        authGet($GLOBALS['opt']['realm']);
        return 0;
    }

    // we should sanitize user input, simplest is to limit to max chars, that should limit
    // the options to exploit this somewhat.
    $user = substr($user,0,15);

    /*
     * long as it includes the fields below. It's YOUR responsabiliy to fix up the mysql_fetch_row line.
     * Use the $GLOBALS['chk'][] array to stuff it in, it should be easy enough to access.
     * Places to use it all are for example the Pre_Run function, to set some user-related stuff,
     * but it's up to your creativity really. I've used it in the past to do some pre-selection on
     * records, just to name one possible use.
     */
    $qry = "Select user_logname, user_passwd, user_level, useracc_ID  from useraccounts where user_logname='" . $user . "'";

    pma_debug ("Auth file query : $qry");
    $res = mysql_db_query($db,$qry);

    if ($res) {
       // we got database results
       list($GLOBALS['chk']['user'], $GLOBALS['chk']['passwd'], $GLOBALS['chk']['level'], $GLOBALS['chk']['acc_id']) =  mysql_fetch_row($res);
       if (($user==$GLOBALS['chk']['user']) && ($pass == $GLOBALS['chk']['passwd'])) {
          // match, so OK
		  return $GLOBALS['chk']['level'];
       } else {
          return 0;
      }

    } else {
       // database has no such user, or has another kind of error so we quit
       pma_debug ("Auth result : " . mysql_errno().": ".mysql_error() );
       return 0;
    }

    // If we failed prompt for username/password
    if($user || $pass) {
       // Realm is defined in the dbaccess.php
       authGet($GLOBALS['opt']["realm"]);
    }
    // return failure
    return 0;
}

// if the browser knows the password these are defined
// otherwise we'll end up doing the auth
//NOTE: while part of the main, these are AUTOMATICALLY $GLOBALS, 
//however since this is called as in inc(lude) directly in some
//functions elseware in the code, it needs expicit $GLOBALS def in the main
$GLOBALS['auth_user']   = $_SERVER['PHP_AUTH_USER'];
$GLOBALS['auth_pass']   = $_SERVER['PHP_AUTH_PW'];
$GLOBALS['auth_level']  = 0;
/*
  getting authentication. It's the calling program's worry to do something
  with the returned data, such as deciding if access will be granted.
*/
$GLOBALS['auth_level'] = authValidateUser($GLOBALS['opt']['db'], $GLOBALS['auth_user'], $GLOBALS['auth_pass']);
?>
Return current item: phpMyAccess