From: razorstrike at hotmail dot com
Operating system: WinNT 4.0
PHP version: 4.3.2
PHP Bug Type: Strings related
Bug description: string comparison started failing after changing to 4.3.2
I use basic authentication to grant users access to a page. I have
included the code below. This code no longer works after upgrading to
4.3.2. It has worked in ALL previous release I have used up to, and
including, 4.3RC1.
In short, I read a flat file of user info. The format is
"username:password" (no quotes). One per line. The code breaks out the
pairs into an array and tests against $PHP_AUTH_USER and _PW until a match
is made. Otherwise it displays a warning.
I have narrowed it down to the string comparison, and have tried strcmp
and strncmp (with modified logic) in place of "==" without success. Also,
I have output all of the variable values with various echo statements. It
appears all values are being set correctly.
Did something change with basic auth? FYI, I have used the same PHP.INI
file throughout, without modification.
<?
$auth = false; // Assume user is not authenticated
if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];
$PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW'];
// Read the entire file into the variable $file_contents
$filename = 'c:\\pass.txt';
$fp = fopen( $filename, 'r' );
$file_contents = fread($fp, filesize($filename));
fclose( $fp );
// Place the individual lines from the file contents into an array.
$lines = explode("\n", $file_contents);
// Split each of the lines into a username and a password pair
// and attempt to match them to $PHP_AUTH_USER and $PHP_AUTH_PW.
foreach ($lines as $line) {
list($username, $password) = explode(':', $line);
if (($username == "$PHP_AUTH_USER") && ($password == "$PHP_AUTH_PW")) {
// A match is found, meaning the user is authenticated. So,
stop the
search.
$auth = true;
break;
}
}
}
if (!$auth) {
$authhead = 'WWW-Authenticate: Basic realm="Login"';
header( "$authhead" );
header( 'HTTP/1.0 401 Unauthorized' );
echo "<CENTER>\n<BR><BR>\n<B><DIV STYLE=\"font-family: helvetica, arial,
verdana; font-size: 14pt;\">The username or password you entered was
invalid.</B>\n<BR><BR>\n";
echo "<INPUT TYPE=button VALUE=\"Try Again\"
onClick=\"window.location='';\"></DIV>";
exit;
}
?>
--
Edit bug report at http://bugs.php.net/?id=24021&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=24021&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=24021&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=24021&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=24021&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=24021&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=24021&r=support
Expected behavior: http://bugs.php.net/fix.php?id=24021&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=24021&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=24021&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=24021&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24021&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=24021&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=24021&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=24021&r=gnused
