Location: PHPKode > scripts > phpMyAccess > phpmyaccess-1.5.3/phpmyaccess/demos/hours/auth.inc.php
<?php

function authGet($realm)
{
    Header("WWW-Authenticate: Basic realm=\"$realm\"");
    Header("HTTP/1.0 401 Unauthorized");
}

function authValidateUser($db, $user, $pass ) {
    // Check if we do not have a username/password
    if(empty($user) || empty($pass)) {
       authGet($GLOBALS['opt']['realm']);
       return 0;
    }
    
    // we should sanitize user input, simplest is to limit to max chars, that should limit
    // the options to exploit this somewhat
    $user = substr($user,0,15);

    // include favourite lookup for user data
    $qry = "Select user_logname, user_passwd, user_level, useracc_ID, user_bu  from useraccounts where user_logname='" . $user . "'";

    pma_debug ("Auth file query : " . $qry );
    $res = mysql_db_query($db,$qry);

    if (!$res) {
       // database error, so we quit
       pma_debug ("Auth result : " . mysql_errno().": ".mysql_error() );
       return 0;
    } else {
       // this should mean we're ok
       list($GLOBALS['chk']['user'], $GLOBALS['chk']['passwd'], $GLOBALS['chk']['level'], $GLOBALS['chk']['acc_id'], $GLOBALS['chk']['bu']) =  mysql_fetch_row($res);

       if (($user==$GLOBALS['chk']['user']) && ($pass == $GLOBALS['chk']['passwd'])) {
          return $GLOBALS['chk']['level'];
       }
    }

    // If we failed prompt for username/password - WHY?
    if($user || $pass) {
       authGet($GLOBALS['opt']["realm"]);
    }
    // return failure
    return 0;
}

// setup for authentication
unset($result);

// if the browser knows the password these are defined
// otherwise we'll end up doing the auth

$GLOBALS['auth_user']   = $_SERVER['PHP_AUTH_USER'];
$GLOBALS['auth_pass']   = $_SERVER['PHP_AUTH_PW'];
$GLOBALS['auth_level']  = 0;

// getting authentication

$result = authValidateUser($GLOBALS['opt']['db'], $GLOBALS['auth_user'], $GLOBALS['auth_pass']);
if (!$result) {
   // we can display something nice here too
   Say_No_acces_then_die();
} else {
   // set the auth_level for later use
   $GLOBALS['auth_level'] = $result;
   // handy to use in queries
   $GLOBALS['bu']=$GLOBALS['chk']['bu'];
}

?>
Return current item: phpMyAccess