PhpDig.net

PhpDig.net (http://www.phpdig.net/forum/index.php)
-   Mod Submissions (http://www.phpdig.net/forum/forumdisplay.php?f=24)
-   -   Alternate script for index.php (http://www.phpdig.net/forum/showthread.php?t=559)

vinyl-junkie 02-20-2004 10:31 PM
Alternate script for index.php
 
If anyone has followed the authentication problems I had with my site which is on a Windows server (see this thread), I've modified the admin/index.php script to handle user authentication in a slightly different way to solve that problem. You can view my modified script here. Note that if you use it, you'll no longer need to use auth.php.

I also added a feature that gives the user 3 tries to authenticate, then calls the sleep function for 10 seconds. That is to discourage anyone from running their own script to try hacking into the administration functions.

I welcome any comments, criticisms, etc. regarding my script. Thanks. :)

Charter 02-23-2004 11:29 AM
Hi. Thanks for the mod submission, but... :eek:

Your authentication method only protects the admin/index.php file. It does not offer protection should someone access other files in the admin directory.

For example, from your site:
Code:
Search Terms  Num Time  Total Results  Avg Time
review        16        112            0.10
sample        1        1              0.02
born          1        1              0.01
charter      1        0              0.00
I would not recommend using the authentication method you posted. :no:

From php.net is the following:

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.

If the auth.php that comes with PhpDig does not work for you, then protect the admin directory with something like htaccess instead.

One thing though... :)

Thanks to your post, I checked the scripts in the admin diretory and anyone using PHPDIG_ADM_AUTH in the config.php file should read this thread.

vinyl-junkie 02-23-2004 06:52 PM
Thanks for the evaluation of my script, Charter. I'm still pretty new to PHP, so I wasn't too sure if it would fly or not. That's one of the beauties of open-source though. Someone else can tell you if there are security holes. ;)

I don't believe it is possible to protect a directory with .htaccess on a Windows server. What I've been doing is just removing the authentication requirement when I want to spider the site, then putting it back up when I'm done. Not the most convenient way of doing things, but it works.

BTW, my Windows site is on PHP 4.3.2. I guess that according to your post, that means I can't use HTTP authentication?


All times are GMT -8. The time now is 09:59 AM.

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.