Don't run the htpasswd program at all, just write the .htpasswd file with PHP. The format is very simple, it's just username:crypted_password
So, you can just write those lines to the file, using the crypt function to create the crypted password. Of course the same file permission issues exist that Evan pointed out (unless you're not in a shred environment, or are running PHP as cgi with Apache SuExe.), but those issues are for anything you do in PHP. HTH, Peter Janett New Media One Web Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ New Upgrades Are Now Live!!! Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1 Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25, Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PostgreSQL coming soon! http://www.newmediaone.net [EMAIL PROTECTED] (303)828-9882 ----- Original Message ----- From: "Evan Nemerson" <[EMAIL PROTECTED]> To: "Kris" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, January 23, 2003 12:37 AM Subject: Re: [PHP] htpasswd > Don't chmod .htpasswd- _huge_ security risk... Will your server allow you to > have suid scripts??? If so, you can just write a little wrapper and make it > suid. If you do that, I'd also reccomend using an extension other than PHP, > and/or placing it outside your web root. Wouldn't want people adding > themselves... > > I'd reccomend not using .htaccess at all, and just whip up a system using a > real database, wth the real work done in PHP. htaccess just isn't designed to > be dynamic. > > > > On Wednesday 22 January 2003 06:56 pm, Kris wrote: > > Hi > > > > I've built a secure site. After the user has chosen a valid username and > > password I want my script to run htpasswd on the .htpasswd file in the > > directory. The script can run htpasswd as it doesn't have permission. > > What is the safest way to do this? > > Should I chmod htpasswd or is there a better option for this whole thing?? > > > > Thanks > > > > Kris > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
