PDA

View Full Version : Alternate script for index.php


vinyl-junkie
02-20-2004, 11:31 PM
If anyone has followed the authentication problems I had with my site which is on a Windows server (see this thread (http://www.phpdig.net/showthread.php?s=&threadid=496)), I've modified the admin/index.php script to handle user authentication in a slightly different way to solve that problem. You can view my modified script here (http://www.techtipscentral.net/search/admin/index.txt). Note that if you use it, you'll no longer need to use auth.php.

I also added a feature that gives the user 3 tries to authenticate, then calls the sleep function for 10 seconds. That is to discourage anyone from running their own script to try hacking into the administration functions.

I welcome any comments, criticisms, etc. regarding my script. Thanks. :)

Charter
02-23-2004, 12:29 PM
Hi. Thanks for the mod submission, but... :eek:

Your authentication method only protects the admin/index.php file. It does not offer protection should someone access other files in the admin directory.

For example, from your site:

Search Terms Num Time Total Results Avg Time
review 16 112 0.10
sample 1 1 0.02
born 1 1 0.01
charter 1 0 0.00

I would not recommend using the authentication method you posted. :no:

From php.net (http://www.php.net/manual/en/features.http-auth.php) is the following:

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.

If the auth.php that comes with PhpDig does not work for you, then protect the admin directory with something like htaccess instead.

One thing though... :)

Thanks to your post, I checked the scripts in the admin diretory and anyone using PHPDIG_ADM_AUTH in the config.php file should read this (http://www.phpdig.net/showthread.php?threadid=565) thread.

vinyl-junkie
02-23-2004, 07:52 PM
Thanks for the evaluation of my script, Charter. I'm still pretty new to PHP, so I wasn't too sure if it would fly or not. That's one of the beauties of open-source though. Someone else can tell you if there are security holes. ;)

I don't believe it is possible to protect a directory with .htaccess on a Windows server. What I've been doing is just removing the authentication requirement when I want to spider the site, then putting it back up when I'm done. Not the most convenient way of doing things, but it works.

BTW, my Windows site is on PHP 4.3.2. I guess that according to your post, that means I can't use HTTP authentication?