On Mon, 18 Nov 2002, Edin Kadribasic wrote:
>On Sun, 17 Nov 2002, Rasmus Lerdorf wrote:
>
>> > > But why do you assume that the documentation was right and the code was
>> > > wrong and not the other way around?
>> >
>> > Because it was working like documented before. (When the documentation
>> > was written). Anyway, not sure what to do with this one...
>>
>> I don't have the energy to do a cvs check, but I remember adding this
>> restriction years ago (php2 days) and then removing it (by commenting out
>> the check) ages ago as well. I'm not sure PHP4 ever had this check turned
>> on (the commented out check was ported to php4), so the documentation has
>> not reflected reality in a very long time.
>
>I agree that this change is going to break a lot of code. Some of it is my
>own :)
>
>I suggest that we always populate $PHP_AUTH_USER since that one has no
>security consequences and the information is awailable elsewhere
>($_SERVER['REMOTE_USER']). $PHP_AUTH_PW should be set when there are no
>safe_mode/open_basedir restrctions in effects.
>
>Would this solution be satisfactory to everyone?
No, it would break my scripts. :-p
Use the $_SERVER['REMOTE_USER'] as it's been documented
for ages in the http auth docs..
--Jani
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
