ID: 20441
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: Apache related
Operating System: all
PHP Version: 4.3.0
New Comment:
For the record, the last comment was found to be bogus in bug #21620.
And on a unrelated note, it's recommended to not rely on the
register_globals directive so use $_SERVER['REMOTE_USER'] not
$REMOTE_USER.
Previous Comments:
------------------------------------------------------------------------
[2003-01-13 11:33:03] [EMAIL PROTECTED]
The suggestion that $REMOTE_USER still works and can be used in Safe
mode is only party true. I noticed that this variable is filled with
the username supplied by the external basic auth mechanism (.htaccess)
unless you are in a script which has been called by a <form action=XXX
method="post">.
With method="get" it works OK.
I need the $REMOTE_USER to lookup users from the database and find
their ID in the DB. The method="get" option is a workaround, but this
does not work in upload scripts, which has to use "post".
Is this a new bug?
------------------------------------------------------------------------
[2002-12-21 15:16:22] [EMAIL PROTECTED]
It has been agreed in php-dev to keep the PHP_AUTH_* variables but to
disable them when in safe mode. This change was made after 4.3.0-RC4
but will exist in PHP 4.3.0. This is from the PHP 4.3.0 NEWS:
Make PHP_AUTH_* variables not available in safe mode
under Apache when an external basic auth mechanism is
used. (Philip)
REMOTE_USER will exist regardless. In the future, a new ini directive
such as expose_php_auth_vars may be available.
The docs will be updated.
------------------------------------------------------------------------
[2002-12-18 15:21:10] [EMAIL PROTECTED]
This needs to be fixed before 4.3 goes out. While it is of course
important to improve the code and iron out long standing errors, we
must not forget that our users rely on the old behaviour. The default
behaviour of 4.3 should be the same as in old versions.
------------------------------------------------------------------------
[2002-12-18 13:29:19] [EMAIL PROTECTED]
This problem has just caused me a big headache - a customer has been
relying on the fact that both .htaccess and PHP_AUTH_USER have been
available in parallel since at least PHP 4. They've asked me to fix
their scripts, but it would be a massive rewrite to sort out.
I only have two customers who do their own scripting, and 50% of them
are bitten by this. I think that 4.3.0 may well annoy lots of people
with this.
I can see from the documentation of bug #19251 why the change has been
made, and I understand that that the manual documents the new
behaviour, but I suspect this misbehaviour is widely relied upon, and
perhaps we should consider an php.ini switch.
The only economic solution I can suggest for my customer in the
meanwhile is for me to patch php back to its old behaviour.
------------------------------------------------------------------------
[2002-12-11 10:58:19] [EMAIL PROTECTED]
We fixed a bug, period.
Derick
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/20441
--
Edit this bug report at http://bugs.php.net/?id=20441&edit=1
