When you want to secure some pages in a directory and want to use http authentication. (this popup with username and password), then normally you do the following.

First create a file name for example auth.php with the following code

<?php
function validateUser () {

    $user = @addslashes($_SERVER['PHP_AUTH_USER']);
    $password = @addslashes($_SERVER['PHP_AUTH_PW']);

    $sql = "SELECT Count(*) as Number FROM auth_users WHERE username='" . $user . "' AND password='" . $password . "'";
    $query = mysql_query($sql) or die(mysql_error());
    $result = mysql_fetch_array($query);
    $NumberOfUsers = $result['Number'];

    if ($NumberOfUsers != 1) {
        header('WWW-Authenticate: Basic realm="Members Area"');
        header('Status: 401 Unauthorized');
        header('HTTP-Status: 401 Unauthorized');
        ?>

<html>
<head>
<title>Access Unauthorized</title>
</head>
<body>
<h1>Access to the requested page denied</h1>
You have been denied access to this page for entering an
incorrect or non-exist username and password.<br><br>
</body>
</html>
        <?php
        exit;
    }
}    

?>

Tip: When you have PHP with CGI you have to use the following code also before reading server variables

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
explode(':' , base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));

Then in the pages you want to secure you include the previous page

<?php
require_once('auth.php');
validateUser();

You also have to create an .htaccess file in the folder your files exist with the following content

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization},L]
</IfModule>