1. Database Access Control IST2101

2. Why Implementing User Authentication? Remove a lot of redundancies in duplicate inputs of database information – Your shipping address on Amazon.com A safety-concerned implementation – Your credit card information on Amazon.com IST2102

3. Is User Information Safe Here? Access to the PHP codes – Account management in web server Access to the database – Account management in database server 3IST210 Client (PC) Web Server DBMS Each client uses his/her own website account/password to access the website Website administrator manages all website accounts, and uses his/her own database account/password to access the database server Database server administrator manages all database accounts.

4. User Access Control in Your Service Allow only registered users to access information. – User ID and password – Get access to PHP codes, which can then visit database servers. Need a user table to manage all users Need an authentication procedure to verify the identify.

5. User Authentication Example http://my.up.ist.psu.edu/zuz22/login/login.php IST2105 login.php signup.php main.php profile.php

6. Run the Sample Code: Step 1 Download login.zip from course website Unzip it, copy and paste the login folder to your webspace 6IST210

7. Run the Sample Code: Step 2 To use the PHP codes, you must have the following two tables in your database – auth_users: userid and password – Userprofile: user information Execute the createTables.sql in Microsoft SQL Management Studio to create these two tables 7IST210

8. Run the Sample Code: Step 3 Add your database information in the authentication.inc file 8IST210 Input your own information Visit http://my.up.ist.psu.edu/yourPSUID/login/login.php and create an account for yourselfhttp://my.up.ist.psu.edu/yourPSUID/login/login.php

9. Run the Sample Code: Step 4 Log into your SQL Server and check if your personal information has been stored in the database Password is encrypted: http://en.wikipedia.org/wiki/MD5

10. Run the Sample Code: Step 5 Look into the php files: – Which parts of the code you think you are familiar with? – Which parts are new to you? – Based on these scripts and the comments in them, can you explain the results you see on your web browser? 10IST210

11. What’s New Here? Things we have already learned: – HTLM form – Connecting web server and database – SQL Queries New components we need to know: 1.A separate authentication.inc file to store sensitive database access information 2.User-defined function: authenticateUser($connection, $loginUserId, $loginPassword) 3.PHP sessions

12. Information Required to Access a Database Username Password Database server (database host) Database to access 12IST210

13. Question Almost every PHP page needs to interact with database Does that mean sqlUsername and sqlPassword need to be encoded in every PHP page? More importantly, Is it safe to put password in many PHP files? IST21013

14. Solution: A Separate Authentication File Authentication.inc IST21014 Store information in this authentication file

15. Using Authentication File signup.php IST21015

16. PHP functions Examples: $connection = sqlsrv_connect( $hostName, $connectionInfo ) authenticateUser($connection, $loginUserId, $loginPassword) 16IST210

17. Why Do We Need Functions? A large program may need to carry out the same task repeatedly – PHP example: sending a query to SQL server You don’t want to duplicate the codes every time when the task is executed – Prone to error – Code complexity Modularized design is easy to maintain 17IST210

18. Types of Functions System functions – Built-in functions provided by systems phpinfo(), sqlsrv_connect(), sqlsrv_query(), … User-defined function – Cannot find a function to suit for your need – Do it yourself 18IST210

19. User-Defined Function: Example To learn more about PHP functions, read the slides on the course website and do the exercises.

20. PHP Sessions Try http://my.up.ist.psu.edu/yourPSUID/login/profile.php http://my.up.ist.psu.edu/yourPSUID/login/profile.php – Log in and visit – Close the tab and visit – Log out and visit – Close the browse and visit Read the code in profile.php. Can you explain the results you see?

21. PHP Sessions Once a user logs in, should you ask him to log into every time he refreshes the page? – Does facebook require you to log in every time you refresh the page? – NO! IST21021

22. Start a PHP Session session_start(); – This function registers this session with the web server and gets a UID for the session – This function initializes the $_SESSION array to store data. 22IST210

23. In-Class Exercise 1: Step 1 <?php session_start(); $_SESSION['userID'] = 'your PSU ID'; echo "Create a session variable "; echo $_SESSION['userID']; ?> 23IST210 Create file1.php in your webspace with this content:

24. In-Class Exercise 1: Step 2 <?php session_start(); echo "Access the session variable "; echo $_SESSION['userID']; ?> 24IST210 Create file2.php with this content:

25. In-Class Exercise 1: Step 3 Close the browser Open the browser. Access the second PHP file that obtains session variables and see what you can get. Access the first PHP file and then the second PHP file. Hint: Try the following: – http://my.up.ist.psu.edu/zuz22/file1.php http://my.up.ist.psu.edu/zuz22/file1.php – http://my.up.ist.psu.edu/zuz22/file2.php http://my.up.ist.psu.edu/zuz22/file2.php

26. Key Issues in Session Control Use session_start() in every php file that needs access to session variables – This function registers the session with the web server and gets a unique ID Session variables are stored in an array named as $_SESSION – You can specify array index and values as $_SESSION['variable_name' ] = value Session variables are super global – Three variable types in PHP: local, global, session variables – Session variables can last forever, unless You delete them, or system sets a life span for them Close the session after all business is finished – session_destroy(); 26IST210