website/lib/auth.inc

<?
	/*
		auth.php
		
		Authentication/Authorization function library

		Copyright (C) 2000, 2001 Jeff Teunissen <deek@quakeforge.net>

		This program is free software; you can redistribute it and/or
		modify it under the terms of the GNU General Public License
		as published by the Free Software Foundation; either version 2
		of the License, or (at your option) any later version.

		This program is distributed in the hope that it will be useful,
		but WITHOUT ANY WARRANTY; without even the implied warranty of
		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  

		See the GNU General Public License for more details.

		You should have received a copy of the GNU General Public License
		along with this program; if not, write to:

		Free Software Foundation, Inc.
		59 Temple Place - Suite 330
		Boston, MA  02111-1307, USA.
	*/

/*										// SQL definition for member list table
CREATE TABLE members (
   u_key		INT NOT NULL auto_increment PRIMARY KEY,
   u_admin		CHAR DEFAULT 'N' NOT NULL,
   u_username	TINYTEXT DEFAULT '' NOT NULL,
   u_password	TINYTEXT DEFAULT '' NOT NULL,
   u_fullname	TINYTEXT DEFAULT '' NOT NULL,
   u_email		TINYTEXT DEFAULT '' NOT NULL,
   u_phone		TINYTEXT DEFAULT '',
   u_addr1		TINYTEXT DEFAULT '',
   u_addr2		TINYTEXT DEFAULT '',
   u_country	TINYTEXT DEFAULT '',
   u_secret		TINYTEXT,
   u_plan		TEXT DEFAULT ''
);
*/

	have ('auth');
	need ('table');

	if (!defined ('_SQLCONSTS_')) {
		define ('_SQLCONSTS_', 1);
		require siteHome . '/../etc/sql.conf';
	}

	if (!defined ('authSplitChar')) {
		define ('authSplitChar', '%');
	}

	global $userInfo;
	global $authRealm;
	global $REMOTE_USER;

	if (!$authRealm) {
		$authRealm = "Member Access";
	}

	/*
		authProcess

		Authenticate user against SQL database.

		If $split is nonzero, the provided password string is
		split using the value of the authSplitChar definition
		and the process will fail if no right-hand side
		component is present. If there IS a right-hand side
		component, sqlRWPass is defined.
	*/
	function authProcess ($user, $password, $split)
	{
		if ($split) {
			$pos = strrpos ($password, authSplitChar);
			if ($pos !== FALSE) {	// user gave an SQL read-write pass
				$sqlRWPass = substr ($password, $pos + 1);
				$password = substr ($password, 0, $pos);

				/* We now have a read-write password, so set sqlRWPass */
				define ('sqlRWPass', $sqlRWPass);
			} else {
				return FALSE;
			}
		}

		$ret = FALSE;

		$db = @mysql_pconnect (sqlHost, sqlRWUser, sqlRWPass);
		$query = "SELECT u_password, 1 AS auth FROM members" .
				" WHERE u_username='$user'" .
				" AND u_password=ENCRYPT('$password','$user')";
		$result = @mysql_fetch_array (@mysql_db_query (sqlDB, $query));

		if ($result[auth])
			$ret = TRUE;

		@mysql_close ($db);
		return $ret;
	}

	/*
		authBasicChallenge

		Use HTTP Basic authentication to ask the user for their UN/PW
	*/
	function authBasicChallenge ($realm, $msg)
	{
		header ('WWW-Authenticate: Basic realm="' . $realm . '"');
		header ('HTTP/1.0 401 Unauthorized');
		die ($msg);
	}

	// Initialization
	if (!isset ($_SERVER['PHP_AUTH_USER'])) {
		authBasicChallenge ($authRealm, "Login required.");
	} else {
		$userName = $_SERVER['PHP_AUTH_USER'];
		$password = $_SERVER['PHP_AUTH_PW'];
	}

	if ($userName && $password) {
		if (!authProcess ($userName, $password, TRUE)) {
			authBasicChallenge ($authRealm, "Login incorrect.");
		}
	} else {
		authBasicChallenge ($authRealm, "Login incorrect.");
	}
	$_SERVER['REMOTE_USER'] = $REMOTE_USER = $userName;

	$db = @mysql_pconnect (sqlHost, sqlRWUser, sqlRWPass);
	$query = "SELECT * FROM members" .
			" WHERE u_username='$userName'";
	$userInfo = @mysql_fetch_assoc (@mysql_db_query (sqlDB, $query));
	@mysql_close ($db);
?>