PHP cURL: Authentication

 

MPG UniCenter

UniServer 5-Nano
PHP cURL.

Validation Servrs

While testing; knocking on a server’s door that performs validation is not a good idea. After a few failed attempts you are bound to trigger some defense mechanism. This can take the form of a timed delay to next login or awaken the draconian dragon, which will ban your IP address.

With the above in mind it is best to simulate before committing to a real server.

Note: Always first check to see if a test server is provided for example most financial gateways do. Hence you can hammer these to your hearts content without awaking that draconian dragon.

Authentication Test Server

Our test server curl_2 is easily converted into a authentication server you don't even have to restart it.

Edit file C:\curl_2\UniServer\www\.htaccess

Change these four lines:

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile C:/curl_2/UniServer/htpasswd/www/.htpasswd
#Require valid-user

To:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile C:/curl_2/UniServer/htpasswd/www/.htpasswd
Require valid-user

Quick test:

Type http://localhost:82/ into your browser, when challenged for a name and password press cancel.

A page is displayed with something like Authorization Required, this confirms authentication is enabled.

Top

Example 5 - Download and display a page

Create a new text file in folder C:\curl_1\UniServer\www and name it test5.php add the following content

<?php
 $ch=curl_init();
 curl_setopt($ch,CURLOPT_URL,'http://localhost:82/remote_page.php');
 curl_exec($ch);
 curl_close($ch);
?>

Test:

  • Run both servers
  • Type http://localhost/test5.php into your browser
  • Result: Page displayed as follows
Authorization Required

This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials
(e.g., bad password), or your browser doesn't understand how to
supply the credentials required.

The above proves our servers are set-up and working correctly.

Top

Add Name and Password response

The above fails because we have not informed Curl how to respond when challenged for a name and password.

In reality all that is requied is to pass Curl a name and password it knows how ro respond to a challenge.

A name and password is passed to Curl using the following function:

  • curl_setopt($ch, CURLOPT_USERPWD, "myusername:mypassword")

Our test server curl_2 uses Uniform Server's defaults name=root password=root

Modify file C:\curl_1\UniServer\www\test5.php

<?php
 $ch=curl_init();
 curl_setopt($ch,CURLOPT_URL,'http://localhost:82/remote_page.php');
curl_setopt($ch, CURLOPT_USERPWD, "root:root");
 curl_exec($ch);
 curl_close($ch);
?>

Test:

  • Run both servers
  • Type http://localhost/test5.php into your browser
  • Result: Your IP is 127.0.0.1 - displayed

Note:

When a Curl session is closed communication to a remote server is also closed.

What that means every time a script is run a remote server will always issue a name/password challenge.

Top

Example 6 - Download and save page to a variable

I have taken example 4 and added the above line.

Create a new text file in folder C:\curl_1\UniServer\www and name it test6.php add the following content

<?php
$ch=curl_init();
curl_setopt($ch,CURLOPT_URL,'http://localhost:82/remote_page.php');
curl_setopt($ch, CURLOPT_USERPWD, "root:root");
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,5);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
$buffer = curl_exec($ch);
curl_close($ch);

if (empty($buffer)){
  print "Need to recover from this!<br />";
}

else{
  print "There was data returned using curl.<br />";
  print "Buffer content = ".$buffer."<br />";

  // Extract IP address 
 if(preg_match("/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/", $buffer, $ipmatch)){  
    $ip = $ipmatch[0]; // Save IP to variable
    print $ip;                                 
 }
}
?>

Test:

  • Run servers
  • Type http://localhost/test6.php into your browser
  • Result:
There was data returned using curl.
Buffer content = Your IP is 127.0.0.1
127.0.0.1

Top

Summary

Well returning a name and password when challenged was not difficult requiring only a single function.

Very few providers allow name/passwords over an unencrypted connection.

The next page covers connecting to a server using https (SSL)

Top