Earlier I posted a question about why the failure message in my HTTP authentication script wasn't working. I figured out the answer. There was no place to go if the user entered a username or password that wasn't in the database.
Below is the corrected code. John Hughes <? session_start(); /* ** Check password */ if($PHP_AUTH_USER != '') #If variable has content check user database { require (***directory path ouside Web root***/connect DB***); $sql = " SELECT * FROM users WHERE username = '$PHP_AUTH_USER' AND password = password('$PHP_AUTH_PW') "; #end SQL $result = mysql_query($sql,$connection) or die ("Can't execute query."); $num = mysql_numrows($result); if ($num != 0) { $valid="yes"; $user=$username; session_register('valid'); session_register('user'); header("Location:letters.php"); exit; } ELSE { #TRY AGAIN header("WWW-Authenticate: Basic realm='The Letters Realm'"); header("HTTP/1.0 401 Unauthorized"); //show failure text if user presses cancel print("This directory requires a user name and password.<br>\n"); } #END IF ON SQL CHECK DB RESULT } ELSE { //SEND headers to request username and password header("WWW-Authenticate: Basic realm='The Letters Realm'"); header("HTTP/1.0 401 Unauthorized"); //show failure text if user presses cancel print("This directory requires a user name and password.<br>\n"); } ?> __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php