[thelist] PHP / MySQL User Login System

Wed Mar 6 21:16:01 CST 2002

Hi Jake

>I was able to get my user login system to work using Andrew's suggestions to
>use an include on each page that is to be secured.

Hurray!

>Is there any way to get Apache to treat .html files in a given directory as
>PHP and run them through the parser?

There is, add .html to the list of files php processes. Find a line like this:

AddType application/x-httpd-php .php

in the apache httpd.conf file. Change it to:

AddType application/x-httpd-php .php .html

Restart apache and you're good to go. It may be possible to do this
on a directory basis by adding the above to an .htaccess file in the
directory, but I have no idea whether that will or will not work.

A simpler solution is just to use .php files instead of .html files,
that way if later on a file is modified and needs php, your users
don't get 404s when they try to access the older .html file. (In that
case put an html file in there with a redirect to the new .php file,
but it's not so nice as preparing for php in the first place.)

>Is there a way to similarly prepend to
>all files in a given directory to add the authentication routine?

In the php.ini file there's an option to automatically add headers to files:

auto_prepend_file = "/your/file/here.php"

But that's not going to help with the current version of the included
file, since it's only certain directories you want authenticated.

If you go this route, instead of manually including the
authentication routine in the header of each file, then it might be
necessary to:

1) add an extra conditional in the include,
2) add a directory in between the account and the root directory for
everything which needs authentication.

So, instead of:

http://your.site.com/bigbucks/
http://your.site.com/foobar/
etc...

Try:

http://your.site.com/auth/bigbucks/
http://your.site.com/auth/foobar/

$account_attempt = explode("/", $REQUEST_URI);
if (($account_attempt[1] == "auth") &&
($PHP_SESSION_VARS["account"] != $account_attempt[2])) {
     header ("Location: http://your.site.com/");
     exit();
}

i.e., if the parent directory is 'auth' (or whatever you decide to
call it), then the authentication script comes into effect as before
(note, the array index for the account to access will now be 2, not
1). If the directory isn't a child of your.site.com/auth/ then the
script ends and the page is processed.

>Probably a pipe dream...

Not if you have control over the php.ini and httpd.conf files, or
have a friendly admin who doesn't mind doing it. :)

An advantage of this scheme over the previous one is that there's no
need to search-and-kill all those includes before changing the
staging site into a live one.

Cheers
Andrew

--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/