username validation in php

// start code snipet
$user= "username";
$pass= "password";

if (( $PHP_AUTH_USER != $user) || ( $PHP_AUTH_PW != $pass)) {
header("WWW-Authenticate: Basic realm=\"PhpWiki\"");
header("HTTP/1.0 401 Unauthorized");
echo "You entered an invalid login or password.<BR>";
echo "You entered $PHP_AUTH_USER for a username.<BR>";
echo "You entered $PHP_AUTH_PW for a password.<BR>";
exit;
}
echo "You entered $PHP_AUTH_USER for a username.<BR>";
echo "You entered $PHP_AUTH_PW for a password.<BR>";
// end code snipet

This code invariably fails, and the echo statements return blank values
for $PHP_AUTH_USER and $PHP_AUTH_PW. Aren't those two set automatically
when the dialogue box pops up, or do I need to add extra code somewhere
for this to work?


--
--
Fabian
Visit my website often and for long periods!
http://www.lajzar.co.uk

In article <325cgoF3j1kjlU1@individual.net>,
"Fabian" <lajzar@hotmail.com> wrote:
[color=blue]
> // start code snipet
> $user= "username";
> $pass= "password";
>
> if (( $PHP_AUTH_USER != $user) || ( $PHP_AUTH_PW != $pass)) {
> header("WWW-Authenticate: Basic realm=\"PhpWiki\"");
> header("HTTP/1.0 401 Unauthorized");
> echo "You entered an invalid login or password.<BR>";
> echo "You entered $PHP_AUTH_USER for a username.<BR>";
> echo "You entered $PHP_AUTH_PW for a password.<BR>";
> exit;
> }
> echo "You entered $PHP_AUTH_USER for a username.<BR>";
> echo "You entered $PHP_AUTH_PW for a password.<BR>";
> // end code snipet
>
> This code invariably fails, and the echo statements return blank values
> for $PHP_AUTH_USER and $PHP_AUTH_PW. Aren't those two set automatically
> when the dialogue box pops up, or do I need to add extra code somewhere
> for this to work?[/color]

No. $PHP_AUTH_USER and $PHP_AUTH_PW aren't defined on my server. What
are they? I don't find reference to them in any of my books or the php
manual site. Where are you reading that these are valid?

http://us2.php.net/manual/en/features.http-auth.php

--
DeeDee, don't press that button! DeeDee! NO! Dee...

.oO(Fabian)
[color=blue]
>This code invariably fails, and the echo statements return blank values
>for $PHP_AUTH_USER and $PHP_AUTH_PW. Aren't those two set automatically
>when the dialogue box pops up, or do I need to add extra code somewhere
>for this to work?[/color]

Using Register Globals
http://www.php.net/manual/en/security.globals.php

Micha

Michael Fesser hu kiteb:
[color=blue]
> .oO(Fabian)
>[color=green]
>> This code invariably fails, and the echo statements return blank
>> values for $PHP_AUTH_USER and $PHP_AUTH_PW. Aren't those two set
>> automatically when the dialogue box pops up, or do I need to add
>> extra code somewhere for this to work?[/color]
>
> Using Register Globals
> http://www.php.net/manual/en/security.globals.php[/color]

ok, that explains where the variable got set from. It seems I have two
possible solutions.

1 - turn on global variables. Given my hosting providor, I'm not sure if
this is an option, and that page suggests there was probably a very good
reason for disabling it.

2 - What is the usual workaround for restrictng page access without
using that particular variable?


--
--
Fabian
Visit my website often and for long periods!
http://www.lajzar.co.uk

.oO(Fabian)
[color=blue]
>Michael Fesser hu kiteb:
>[color=green]
>> Using Register Globals
>> http://www.php.net/manual/en/security.globals.php[/color]
>
>ok, that explains where the variable got set from. It seems I have two
>possible solutions.
>
>1 - turn on global variables.[/color]

Nope.

Instead of $PHP_AUTH_USER you use $_SERVER['PHP_AUTH_USER']. The same
goes for values sent to the server from a form, they can be found in the
array $_GET or $_POST.
[color=blue]
>Given my hosting providor, I'm not sure if
>this is an option, and that page suggests there was probably a very good
>reason for disabling it.[/color]

It's off by default, you should learn how to write scripts that don't
rely on register_globals anymore.
[color=blue]
>2 - What is the usual workaround for restrictng page access without
>using that particular variable?[/color]

Try the above first and read the following page:

HTTP authentication with PHP
http://www.php.net/manual/en/features.http-auth.php

Notice the first line:

"The HTTP Authentication hooks in PHP are only available when it is
running as an Apache module and is hence not available in the CGI
version."

What do you use - module or CGI? If unsure check the output of phpinfo()
for the line "Server API".

Micha

Michael Fesser hu kiteb:
[color=blue]
> .oO(Fabian)
>[color=green]
>> Michael Fesser hu kiteb:
>>[color=darkred]
>>> Using Register Globals
>>> http://www.php.net/manual/en/security.globals.php[/color]
>>
>> ok, that explains where the variable got set from. It seems I have
>> two possible solutions.
>>
>> 1 - turn on global variables.[/color]
>
> Nope.
>
> Instead of $PHP_AUTH_USER you use $_SERVER['PHP_AUTH_USER']. The same
> goes for values sent to the server from a form, they can be found in
> the array $_GET or $_POST.[/color]

This one didn't work either :(





--
--
Fabian
Visit my website often and for long periods!
http://www.lajzar.co.uk