dudelondon Posted December 10, 2009 Share Posted December 10, 2009 Hi Everyone, This is my first time on your website and please excuse if I am asking silly question. I have a question about PHP HTTP DIGEST AUTHENTICATION - published in PHP Manual - php.net Their explanation is bit limited and I was unable to find anything about it on the web - People have written that it's beyond the knowledge of the language and just paste the code and use it. But I have still done some study on the regular expression used and managed to understand it but please help me in understanding it completely. The code which I need to be explained is in Blue color. I will thank u in advance ///////////////////////////////////////////////////////////////////////////////////////////////////////////// <?php $realm = 'Restricted area'; //user => password $users = array('admin' => 'mypass', 'guest' => 'guest'); if (empty($_SERVER['PHP_AUTH_DIGEST'])) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); die('Text to send if user hits Cancel button'); } // analyze the PHP_AUTH_DIGEST variable if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST'])) || !isset($users[$data['username']])) die('Wrong Credentials!'); // generate the valid response $A1 = md5($data['username'] . ':' . $realm . ':' . $users[$data['username']]); $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); if ($data['response'] != $valid_response) die('Wrong Credentials!'); // ok, valid username & password echo 'Your are logged in as: ' . $data['username']; // function to parse the http auth header function http_digest_parse($txt) { // protect against missing data $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1); $data = array(); $keys = implode('|', array_keys($needed_parts)); print $txt; $txt - Below code shows the values which I received from the server - To check whats coming from the server username="guest",realm="Restricted area",nonce="4b20d54ab440a",uri="/http.php",cnonce="e6fd095f85a80f1e68f3c2685119b35c",nc=00000001,response="ebaa40b07e3da56e89b048a9766fd4db",qop="auth",opaque="cdce8a5c95a1427d74df7acbf41c9ce0"Your are logged in as: guest preg_match_all('@(' . $keys . ')=(?[\' "])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER); My Understanding of the preg match all code above - Preg_match_all is used to capture strings which have been matched by the above pattern. @ - means don't report any error on this. ' .$keys. ' have been imploded with a (pipe '|' also called or ) and because of implode function usage the keys values are 'nonce|nc|cnonce|qop|username|uri|username' . Now the pattern looks for = sign . Than parentheses comes with ?: non capturing parentheses means that it can be captured but it cannot be counted - at the time of using backrefrence. Now 2 parentheses comes along ([\' "]) with a character class and \' (not very sure about this) -Please confirm if correct - but i think it's escaped so that we can capture ' or " -as you can see from the above $txt variable username has a value "guest". Now we get to the third parentheses which is ([^\2])+ - which I think is using negation with a back refrence , so we go back to the 2 parentheses because of \2 and look for another " not start with what was matched in 2 parentheses with +(one or more) and than another parentheses with )?(option sign in the end to tell if its not really needed but optional) and another backrefrence \2 which takes back to ([\' "]) and says find " and yes it "guest" is found without the quotes and is saved in the matches. Now I am confused at this very much | (represented as "pipe" or "or") I think its to do something with the keys which were imploded earlier - look at the $key variable after imploding - Whats the use of this don't know and in what context it's being used don't know. And the last parentheses ([^\s,]+) says dont capture anthing thats whitespace and , with + sign (One or more) Please can someone tell whether I have got the above understanding correct and what mistakes I have made in my understanding. foreach ($matches as $m) { $data[$m[1]] = $m[3] ? $m[3] : $m[4]; unset($needed_parts[$m[1]]); } return $needed_parts ? false : $data;} The above blue code explanation will also be much appreciated. ?> ///////////////////////////////////////////////////////////////////////////////////////////// Link to comment https://forums.phpfreaks.com/topic/184634-php-http-digest-authentication-understanding-code-help/ Share on other sites More sharing options...
c-o-d-e Posted December 10, 2009 Share Posted December 10, 2009 It'd be easier to read if the code was placed with code tags, or php tags. Though you have some descriptions, they'd be best outside the code tags. Link to comment https://forums.phpfreaks.com/topic/184634-php-http-digest-authentication-understanding-code-help/#findComment-974734 Share on other sites More sharing options...
cags Posted December 10, 2009 Share Posted December 10, 2009 Firstly . Looking at your understanding of the code some of what you say is right, some is wrong. Rather than explain what's wrong and right I think it will be easier for me to simply explain the line of code. '@ - The single quote starts a string and the @ is what's called the opening delimiter all preg_ functions require delimiters on their patterns. ('. $keys . ') - The opening bracket starts a capture group (a sub-pattern that will be returned in $matches[1] and also stored in the backreference \1), the single quote closes the string. The fullstop concatinates $keys which simply inserts the string $keys into the pattern. We then have another fullstop for concatination another single quote to start a new string and a closing bracket that ends this first capture group. = - This will match a literal equals sign. (?: - This is what's used to start a non-capture group, ie logically group data but without returning it in the $matches array or creating a backreference. ([\' "]) - Open bracket opens a capture group. Open square bracket opens a character class which contains single quote or double quote (the backslash escapes the single quote so it doesn't close the string. Then the closing squarebracket closes the character class and the bracket closes the capture group. Basically this whole section will capture a single instance of either a single quote or a double quote. ([^\2]+?) - Another capture group containing a character class. The ^\2 means match anything that is not the same character capture by the previous section (capture group 2). The + tells it to match one or more of the characters and the ? makes it lazy. Essentially speaking it will loop untill finding the next character matching the \2 character. \2 - Since the previous section will stop just before the \2 character, this matches that character to move the pattern on. | - The bar character is for alternation basically it means OR. ([^\s,]+) - Matches whilst the character is not a whitespace character or a comma and capture it in \4. )@' - Close the non-capture group started earlier. The the closing delimiter for the pattern and the closing delimiter for the string.The $keys variable is imploded with the bar so that particular part of the pattern will match nonce OR cnone OR nc etc, etc. To explain in more detail the non-capture group section (ie the part after the = sign), it basically makes sure the pattern matches ="something", ='something' or =something , or =something,. foreach ($matches as $m) { $data[$m[1]] = $m[3] ? $m[3] : $m[4]; unset($needed_parts[$m[1]]); } This is essentially a fairly simple for loop but it looks abit confusing due to the use of the ternary operator. The first line will basically loop through the array $matches using $m to represent the current item. $m[3] ? $m[3] : $m[4]; Can be re-written as... if($m[3]) { $data[$m[1]] = $m[3]; } else { $data[$m[1]] = $m[4]; } Link to comment https://forums.phpfreaks.com/topic/184634-php-http-digest-authentication-understanding-code-help/#findComment-974739 Share on other sites More sharing options...
dudelondon Posted December 10, 2009 Author Share Posted December 10, 2009 Thanks Pete. You have given a very clear description of the above code. You explained it in detail and have to say very organised ....Thanks for that. I will make sure that next time my question is bit more like yours. Sorry about not using code .. is this you what you mean by code php tags <code> $m[3] ? $m[3] : $m[4]; </code> Link to comment https://forums.phpfreaks.com/topic/184634-php-http-digest-authentication-understanding-code-help/#findComment-974760 Share on other sites More sharing options...
cags Posted December 10, 2009 Share Posted December 10, 2009 The forum functions on a BBCode sytem. BBCode tags use square backets as opposed to the <> symbols of HTML. So you would use... your code here or your code here Also, another little tip. When you considered a topic solved to your satisfaction there is a 'Mark Solved' button in the bottom left hand corner of topics you start. Note: I used special tags to make that appear as normal text, otherwise the forum would have parsed them and they would have looked like this respectively... your code here your code here Link to comment https://forums.phpfreaks.com/topic/184634-php-http-digest-authentication-understanding-code-help/#findComment-974777 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.