<?php
function authGet($realm)
{
Header("WWW-Authenticate: Basic realm=\"$realm\"");
Header("HTTP/1.0 401 Unauthorized");
}
function authValidateUser($db, $user, $pass ) {
// Check if we do not have a username/password
if(empty($user) || empty($pass)) {
authGet($GLOBALS['opt']['realm']);
return 0;
}
// we should sanitize user input, simplest is to limit to max chars, that should limit
// the options to exploit this somewhat
$user = substr($user,0,15);
// include favourite lookup for user data
$qry = "Select user_logname, user_passwd, user_level, useracc_ID, user_bu from useraccounts where user_logname='" . $user . "'";
pma_debug ("Auth file query : " . $qry );
$res = mysql_db_query($db,$qry);
if (!$res) {
// database error, so we quit
pma_debug ("Auth result : " . mysql_errno().": ".mysql_error() );
return 0;
} else {
// this should mean we're ok
list($GLOBALS['chk']['user'], $GLOBALS['chk']['passwd'], $GLOBALS['chk']['level'], $GLOBALS['chk']['acc_id'], $GLOBALS['chk']['bu']) = mysql_fetch_row($res);
if (($user==$GLOBALS['chk']['user']) && ($pass == $GLOBALS['chk']['passwd'])) {
return $GLOBALS['chk']['level'];
}
}
// If we failed prompt for username/password - WHY?
if($user || $pass) {
authGet($GLOBALS['opt']["realm"]);
}
// return failure
return 0;
}
// setup for authentication
unset($result);
// if the browser knows the password these are defined
// otherwise we'll end up doing the auth
$GLOBALS['auth_user'] = $_SERVER['PHP_AUTH_USER'];
$GLOBALS['auth_pass'] = $_SERVER['PHP_AUTH_PW'];
$GLOBALS['auth_level'] = 0;
// getting authentication
$result = authValidateUser($GLOBALS['opt']['db'], $GLOBALS['auth_user'], $GLOBALS['auth_pass']);
if (!$result) {
// we can display something nice here too
Say_No_acces_then_die();
} else {
// set the auth_level for later use
$GLOBALS['auth_level'] = $result;
// handy to use in queries
$GLOBALS['bu']=$GLOBALS['chk']['bu'];
}
?>