External authentification

[phpnewbie112]

Hello, could you pls advice or show an example on how to create/integrate an authentification url for my existing script.

 

Explanation:

 

The script has a login screen for users that I create inside my MySql db. I want to be able to give external users a URL like www.domain.com/auth.php?user=user&pwd=pass&typ=login that can be used inside their own php script to authenticate and query data from my MySql WITHOUT using my own application.

 

Thank you

[ratcateme]

i would tell people to use cURL rather than a form like that and https (Both supported by cURL) then setup your server to check the login and printout true or false. also you might want to prevent the same IP trying to auth the same user multiple times as it could be used for easily brute forcing your database.

 

Scott.

[JonnoTheDev]

Yes this is correct. Setup another domain with a web service API that can query your database and return values. A third party may send requests with something similar to:

 

	$socket = fsockopen("www.yourapidomain.com", 80, $errno, $errstr);

fputs($socket, "GET /auth.php?user=user&pwd=pass&typ=login HTTP/1.1\r\n"); 
fputs($socket, "HOST: www.yourapidomain.com\r\n"); 
fputs($socket, "Connection: close\r\n\r\n");	

$response = "";
while(!feof($socket)) {
	$response .= @fread($socket, 1024); 
}
fclose($socket);

switch($response) {
	case "ok":
		// logged in
	break;
	case "fail":
		// failed request
	break;
}

[ratcateme]

but if you use cURL you can use HTTPS and POST a lot easier both making the request more secure because if some one gets hold of your server logs there will be all these entries like auth.php?user=username&pass=password and they will have a list of your site users and passwords

 

Scott.

[phpnewbie112]

Thank you for the answer, I start searching for tutorials on this topic. but my first question is how can I initiate the auth.php file with the variables. Can you show me a sample code for auth.php?user=user&pwd=pass&typ=login if it connects to the mysql with right user/pwd should echo "Success" thanks a million

[phpnewbie112]

I was able to do it. thanks anyway

[phpnewbie112]

1 more question pls. if I enable ssl and post it as https://.... does it store the values in plain text in the access log file on the server?

[ratcateme]

yes http or https will both log the user url info in the logs i would highly recommend using post.

in auth.php just replace $_GET with $_POST

and for a request i wrote this simple function that uses https and post just change the host and it should work

function check_login($user, $pass)
{
$host = "www.example.com";
$post_data = "user={$user}&pwd={$pass}&typ=login";
$request = "POST /auth.php HTTP/1.1\r\nHost: {$host}\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: " . strlen($post_data) . "\r\n\r\n{$post_data}";
$sock = fsockopen("ssl://{$host}", 443);
if ($sock) {
	if (fwrite($sock, $request) !== false) {
		while (!feof($sock))
			$data .= fgets($sock);
		fclose($sock);
		$return = strtolower(trim(strstr($data, "\r\n\r\n")));
		if ($return == "successful")
			return true;
		else
			return false;
	}
}
return false;
}

 

Scott.