PHP Security Assignment

 

  1. Create a subdirectory named ‘protected’ in your web directory.
  2. Following the listings 14.5 & 14.6, create the content.html and rejection.html in your new ‘protected’ subdirectory.
  3. Following the listing in 14.7 on page 317 of the ‘PHP and MySQL’ book (but obviously changing it for your setup), create a .htaccess file to control access to this directory.
  4. Create a .htpass file that contains one or two user/password sets. Use the command /usr/local/apache/bin/htpasswd to do this. You can get help by adding a ‘-help’ as an option.
  5. Test this from a browser. You should be able to access the content.html file with one of your user/password sets, but should see the rejection.html displayed if you use something not part of that set.
  6. Add the ‘book_auth’ table to your books database:

    There is a file in my ‘web/books’ directory. You can either use it in place or copy it and use it. To use it in place:

    mysql databasename < /usr/users3/grovesr/web/books/createbauth.sql

    This also creates two entries — one with name=user and pass=pass, and one with name=testuser and pass=password(‘test123’). Look at the database and see what actually gets inserted into these two entries.

  7. There are two code files in the same directory: http.php and secretdb.php and a file db.inc in my ‘protected’ subdirectory.

    http.php implements the ‘Basic’ authentication scheme (which is used to make the .htaccess method work) in PHP code. The secretdb.php file implements a simple database-based user/password scheme. Copy both of these files into your web directory. Copy the db.inc file from my ‘protected’ directory into your own ‘protected’ directory. Use a browser to run both of these files and observe how they work. You probably won’t be able to get secretdb.php to work with user=user and password=pass. Why not?

  8. Integrate the functionality in secretdb.php into http.php (or a copy), so that you have the ‘Basic’ authentication function being driven by entries in your database. Add some new entries into the book_auth table, and make sure that they work. Turn a listing of your completed program.