I was under the impression that if an external auth method was used that these weren't set, but I guess I was mistaken. Since PHP is being run as a module, Apache basic auth isn't really external.
Thanks.
-Patrick
Richard Harb wrote:
Friday, April 30, 2004, 5:37:15 PM, thus was written:
Hi, Even with register globals off isn't it possible to have a webpage like this:
Not sure what you are asking. You can have a webpage like this. And I guess it even does what it should - print the information.
<html> <head> </head>
<h2>Hello, <?php echo $_SERVER['PHP_AUTH_USER']; ?> <p>I know your password is <?php echo $_SERVER['PHP_AUTH_PW']; ?>
<body> </body> <html>
Is there a way to make sure apache doesn't set the $SERVER['PHP_AUTH_PW '] global?
No, there is no way. The docs state that those Superglobals are always set. But I wouldn't necessarily say that this is insecure: A user does not have access to those superglobals, except he managed to sneak in some code onto your server - but then you'd have a problem somewhere else.
register_globals was intended as a shortcut for lazy programming (my biased opinion only!) to automagically have $PHP_AUTH_PW, etc available. That way some user would have been able to set this variable easily, e.g. with a GET request. No way to directly set a superglobal though by conventional means.
Richard
-- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Hutchinson [EMAIL PROTECTED] Engineering Web Systems Administrator 408.527.0305 direct Cisco Systems, Inc. 408.527.2313 fax
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
