English
English
In PHP development, ensuring user identity verification and proper access control is essential to building secure web applications. This article introduces several commonly used authentication and authorization techniques, with code examples to help you create a safer application environment.
HTTP Basic Authentication prompts the browser to request username and password via a pop-up. It is simple and easy to implement but has lower security during transmission, suitable for internal or low-security scenarios.
// Send HTTP Basic Authentication headers
header('WWW-Authenticate: Basic realm="Protected Area"');
header('HTTP/1.0 401 Unauthorized');
// Validate credentials
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
// Query user in database
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
if ($result->num_rows > 0) {
// Authentication successful, grant access
} else {
// Authentication failed, show 401 Unauthorized
echo "Unauthorized Access";
}
}Users submit username and password via an HTML form, a widely used method in web applications combined with session management to maintain login state.
// Handle login form submission
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
// Query user in database
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$result = $stmt->get_result();
$stmt->close();
if ($result->num_rows > 0) {
// Authentication successful, start session
session_start();
$_SESSION['authenticated'] = true;
// Redirect to protected area
header("Location: protected_area.php");
} else {
// Authentication failed, show error message
echo "Invalid username or password";
}
}Access is granted based on user roles, common in applications that differentiate between types of users such as administrators and regular users.
// Check if user has required permission to access a protected area
if (isset($_SESSION['user_role']) && $_SESSION['user_role'] == 'admin') {
// Access allowed
}Controls access to specific resources such as files or database records, ensuring users access only resources they are permitted to.
// Check file access permission by user ID
$path = '/uploads/' . $_GET['file_id'];
if (file_exists($path) && is_file($path)) {
$fileOwner = 'user_' . $_GET['user_id'];
if (fileowner($path) == $fileOwner) {
// Allow access to file
}
}In a message board application, the above authentication and authorization mechanisms can be combined:
By designing robust authentication and authorization workflows, PHP developers can greatly improve web application security. The provided example code and concepts serve as practical references for implementing secure access control, helping to build more stable and reliable systems.
