Section 20.2. HTTP


20.2. HTTP

Hypertext Transport Protocol is a primarily a basic protocol to handle data transmission, but it is also capable of authentication and more. PHP gives you all the tools you need to manipulate HTTP for your own needs.

20.2.1. Sending Custom Headers

There are several special HTTP headers you can send to instruct the remote client. For example, the "Location" header instructs browsers to request a different URL, the "Content-Type" header tells browsers what kind of content they are about to receive, and the "WWW-Authenticate" header tells browsers that they need to send some authentication information to proceed.

Sending custom headers in PHP is done using the header( ) function, which takes the header to send as its parameter. So, to make a browser go to www.example.com when it visits a certain script, this would be used:

     header("Location: http://www.example.com"); 

Special attention should be paid when using the Location header, however, as it is used to redirect clients from one page to another. When you send a Location header, the rest of your script will still be executed, potentially allowing people to see pages they would otherwise not be able to see. As a result, it's best to call exit immediately after header("Location: ...") to ensure that nothing happens after the redirect notice has been sent.

The headers_sent( ) function, when called with no parameters, returns true if your HTTP headers have been sent or false otherwise. That isn't "whether some headers have been sent" but "whether the header-sending opportunity has passed." That is, if headers_sent( ) returns true, sending more headers will trigger an error because non-header information has already been sent. If you pass in two parameters as references, PHP will fill them with the name of the file and the line number therein where the first output was sent, like this:

     header("Expires: Sat, 22 Dec 1979 05:30:00 GMT");     echo "This is some text for output.<br />";     if (!headers_sent($filename, $linenum)) {             // If no headers have been sent, send one.             // This code will not execute, as we sent the             // Expires header back in line 1             header("Location: www.yoursite.com");             exit;     } else {             echo "Headers already sent in $filename on line $linenum.";             exit;     } 

That will print out the following:

     This is some text for output.     Headers already sent in C:\home\header.php on line 3. 

20.2.2. Reading Queued Headers

The headers_sent( ) takes no parameters, and returns an array that contains a numerically indexed list of the headers that are ready for sending. Using this, we can extend our previous example like this:

     header("Expires: Sat, 22 Dec 1979 05:30:00 GMT");     echo "This is some text for output.<br />";     if (!headers_sent($filename, $linenum)) {             // if no headers have been sent, send one             // this will not execute, as we sent the Expires header.             header("Location: www.yoursite.com");             exit;     } else {             echo "Headers already sent in $filename on line $linenum.<br />";             echo "Headers sent are:<br /> <UL>";             $headers = headers_list( );             foreach($headers as $header) {                     echo "<LI>$header</LI>";             }             echo "</UL>";             exit;     }

20.2.3. Authentication Over HTTP

HTTP authentication is largely a matter of sending special HTTP headers to your clients, asking them to provide access codes, and it's easy to do with PHP as long as you have configured PHP to run as an Apache module. For example:

     if (!isset($_SERVER['PHP_AUTH_USER'])) {             header("WWW-Authenticate: Basic realm=\"Private Area\"");             header("HTTP/1.0 401 Unauthorized");             // only reached if authentication fails             print "Sorry - you need valid credentials granted access                     to the private area!\n";             exit;     } else {             // only reached if authentication succeeds             print "Welcome to the private area, {$_SERVER['PHP_AUTH_USER']}                     - you used {$_SERVER['PHP_AUTH_PW']} as your password.";     } 

To start the authentication process, we send two HTTP headers using header( ). WWW-Authenticate allows us to define the area, or realm, to which we are limiting access. It might be "Internet Mail Gateway", "Members Area", or, in our example, "Private Area". This realm name is usually shown to users when they are prompted for their username and password, as shown in Figure 20-2.

Figure 20-2. HTTP authentication is a simple way to keep parts of your site safe from prying eyes


The second header( ) function sends the HTTP status "401", which means "no access". This most often means no username and password have been entered, but it may also mean the details entered were incorrect. Therefore, WWW-Authenticate tells the browser what response is required to authenticate, and the 401 header says "no entry"you need both to perform authentication.

If your user clicks "Cancel," she should be presented with something other than a blank page. In our example above, we have the print line beginning "Sorry - you need valid . . . " ready for this eventuality.

The last print statement, "Welcome to the private area", is for people who have authenticated successfully. All it takes to authenticate currently is a username and passwordwe don't check the values of the data, we just accept whatever they give us.

     if (!isset($_SERVER['PHP_AUTH_USER'])) { 

That line forms the crux of authentication with PHP. When users submit authentication, PHP receives the username and password as $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'], respectively. By checking whether $_SERVER['PHP_AUTH_USER'] is set, we are saying, "Have we received an authentication username from the client?" If we have not, we send a request for authentication using WWW-Authenticate and exit the script.

When our visitors provide a username and password, the script is called again. This time the 'if' statement evaluates to true and we print out our welcome message. Most sites would want to perform some sort of username and password checking in order to make authentication worthwhile, so let us change the script to include simple credentials checking:

     if (!isset($_SERVER['PHP_AUTH_USER'])) {             header("WWW-Authenticate: Basic realm=\"Private Area\"");             header("HTTP/1.0 401 Unauthorized");             print "Sorry - you need valid credentials to be granted access!\n";             exit;     } else {             if (($_SERVER['PHP_AUTH_USER'] =  = 'paul') &&                     ($_SERVER['PHP_AUTH_PW'] =  = 'hudson')) {                     print "Welcome to the private area!";             } else {                     header("WWW-Authenticate: Basic realm=\"Private Area\"");                     header("HTTP/1.0 401 Unauthorized");                     print "Sorry - you need valid credentials to be granted access!\n";                     exit;             }     } 

The modified script above now only allows users that provide the username 'paul' and the password 'hudson'.



PHP in a Nutshell
Ubuntu Unleashed
ISBN: 596100671
EAN: 2147483647
Year: 2003
Pages: 249

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net