Re: [PHP] php/.htaccess/.htpasswd
I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/
Re: [PHP] php/.htaccess/.htpasswd
It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
You also can't overwrite files using the fopen() method. You'd need to FTP in, then delete the file, then fopen() it.. or just do the whole thing in one FTP session (write to a temp file, upload it, erase the temp file). Mike Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
If someone can overwrite your .htaccess there's a chance they can also view files through the same exploit (possibly). They could then get your FTP login info, and do a lot more damage than just removing password access to an area. Mike Serj wrote: Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] php/.htaccess/.htpasswd
Except that the file can't exist. If it does, fopen() will cause an error. You can use ftp_connect() instead...as per the MANUAL. ---John Holmes... -Original Message- From: serj [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 5:24 PM To: Mike Eheler Cc: [EMAIL PROTECTED] Subject: Re: [PHP] php/.htaccess/.htpasswd You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
Being that the files are owned by their respective users, I would imagine that would make it pretty difficult for the .htaccess file to be overwritten, if someone found a way to overwrite the file couldn't that person overwrite any file owned by the ftp user anyway? also I don't see how someone being able to overwrite the .htaccess file would allow them to grab the ftp password, especially if this is all transmitted over ssl. I apologize, I'm not trying to start a flame war that I'm sure I'll lose. But, I am working on a script that does exactly this and if I'm doing it wrong perhaps I should begin recoding it. josh On Fri, 3 May 2002, Mike Eheler wrote: If someone can overwrite your .htaccess there's a chance they can also view files through the same exploit (possibly). They could then get your FTP login info, and do a lot more damage than just removing password access to an area. Mike Serj wrote: Im not exactly sure why that is worse, could you elaborate a little? Josh On Fri, 3 May 2002, Miguel Cruz wrote: Thus leaving the FTP account's password in view of the httpd, which is even worse... miguel On Fri, 3 May 2002, serj wrote: You could use fopen() to connect to the file via ftp therefore keeping the .htaccess file owned by the user for increased security. Josh Boughner On Fri, 3 May 2002, Mike Eheler wrote: It's possible, but is it really recommended? Wouldn't the .htaccess/.htpasswd file have to be owned by the apache user, which might leave it open to being overwritten by any kind of a weak/exploitable script? Mike Josh Valerie McCormack wrote: I've used the script phtaccess, which I think used the mentioned class. Super easy to use. Josh On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php/.htaccess/.htpasswd
On Wed, 1 May 2002, Kelly Meeks wrote: Is is possible to use php to admin a password file used by a .htaccess file? You should check the File_Passwd class from PEAR. http://chora.php.net/cvs.php/php4/pear/File -- Mika Tuupola http://www.appelsiini.net/~tuupola/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php/.htaccess/.htpasswd
Is is possible to use php to admin a password file used by a .htaccess file? I know that sometimes it is easier/more robust to manage password protection via sessions/database, but I've got a client that wants to use a .htaccess file. How do you deal with the encryption of the passwords, etc? I appreciate any guidance, Kelly
Re: [PHP] php/.htaccess/.htpasswd
Yes, it's certainly possible. There are classes out there that manage .htaccess permissions for you and provide a web interface to do it. The scripts will write the appropriate .htaccess files based on what you choose to do. Search hotscripts.com or phpclasses.org for one of them. The passwords are made using crypt(). So you take the users password, crypt() it, and compare it to what in the file. I would recommend you get one of the administration classes, though, rather than re-creating the wheel. ---John Holmes... - Original Message - From: Kelly Meeks [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 01, 2002 2:12 PM Subject: [PHP] php/.htaccess/.htpasswd Is is possible to use php to admin a password file used by a .htaccess file? I know that sometimes it is easier/more robust to manage password protection via sessions/database, but I've got a client that wants to use a .htaccess file. How do you deal with the encryption of the passwords, etc? I appreciate any guidance, Kelly -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php