Hi. Thanks for the mod submission, but...
Your authentication method only protects the admin/index.php file. It does not offer protection should someone access other files in the admin directory.
For example, from your site:
Code:
Search Terms Num Time Total Results Avg Time
review 16 112 0.10
sample 1 1 0.02
born 1 1 0.01
charter 1 0 0.00
I would not recommend using the authentication method you posted.
From
php.net is the following:
Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.
Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).
Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.
If the auth.php that comes with PhpDig does not work for you, then protect the admin directory with something like htaccess instead.
One thing though...
Thanks to your post, I checked the scripts in the admin diretory and anyone using PHPDIG_ADM_AUTH in the config.php file should read
this thread.