PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Hi, I'm trying to set up HTTP authentication for some of my pages and I can't seem to get it to work. For example at the very top of a page that I would like to have HTTP authentication on I have the following script:
if ((!isset($PHP_AUTH_USER)) ||
(!isset($PHP_AUTH_PW)) ||
($PHP_AUTH_USER != "guest") ||
($PHP_AUTH_PW != "guest"))
{
header('WWW-Authenticate: Basic realm="Private Area"');
header("HTTP/1.1 401 Unauthorized");
print "This page requires authorisation.";
exit();
}
else
{
print "You're through to the secret page, was the effort worth it?";
}
For some reason though when I try to enter guest as the username and password the authentication window just pops up again and I'm given 3 tries until the error message prints. Any ideas? Thanks.
bobsta63 wrote:To turn on register globals, Open the PHP.ini file on a windows based pc usally found in C:\WINDOWS\PHP.ini and scroll down and just set:
register_globals = Off
to... amazingly...
register_globals = On
See if that works mate
Highly recommended you leave register globals off.
bobsta63 wrote:To turn on register globals, Open the PHP.ini file on a windows based pc usally found in C:\WINDOWS\PHP.ini and scroll down and just set:
register_globals = Off
to... amazingly...
register_globals = On
See if that works mate
Highly recommended you leave register globals off.
http://php.net/regoster_globals wrote:Perhaps the most controversial change in PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.
When on, register_globals will inject (poison) your scripts will all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by users and disabling register_globals changes this. Let's demonstrate with an example misuse of register_globals: