Don't run the htpasswd program at all, just write the .htpasswd file with
PHP.  The format is very simple, it's just
username:crypted_password

So, you can just write those lines to the file, using the crypt function to
create the crypted password.

Of course the same file permission issues exist that Evan pointed out
(unless you're not in a shred environment, or are running PHP as cgi with
Apache SuExe.), but those issues are for anything you do in PHP.

HTH,

Peter Janett

New Media One Web Services
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
New Upgrades Are Now Live!!!
Windows 2000 accounts - Cold Fusion 5.0 and Imail 7.1
Sun Solaris (UNIX) accounts - PHP 4.1.2, mod_perl/1.25,
Stronghold/3.0 (Apache/1.3.22), MySQL 3.23.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PostgreSQL coming soon!

http://www.newmediaone.net
[EMAIL PROTECTED]
(303)828-9882


----- Original Message -----
From: "Evan Nemerson" <[EMAIL PROTECTED]>
To: "Kris" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, January 23, 2003 12:37 AM
Subject: Re: [PHP] htpasswd


> Don't chmod .htpasswd- _huge_ security risk... Will your server allow you
to
> have suid scripts??? If so, you can just write a little wrapper and make
it
> suid. If you do that, I'd also reccomend using an extension other than
PHP,
> and/or placing it outside your web root. Wouldn't want people adding
> themselves...
>
> I'd reccomend not using .htaccess at all, and just whip up a system using
a
> real database, wth the real work done in PHP. htaccess just isn't designed
to
> be dynamic.
>
>
>
> On Wednesday 22 January 2003 06:56 pm, Kris wrote:
> > Hi
> >
> > I've built a secure site. After the user has chosen a valid username and
> > password I want my script to run htpasswd on the .htpasswd file in the
> > directory. The script can run htpasswd as it doesn't have permission.
> > What is the safest way to do this?
> > Should I chmod htpasswd or is there a better option for this whole
thing??
> >
> > Thanks
> >
> > Kris
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to