PhpDig.net

Go Back   PhpDig.net > PhpDig Forums > Mod Submissions

Reply
 
Thread Tools
Old 02-20-2004, 11:31 PM   #1
vinyl-junkie
Purple Mole
 
Join Date: Jan 2004
Posts: 694
Alternate script for index.php

If anyone has followed the authentication problems I had with my site which is on a Windows server (see this thread), I've modified the admin/index.php script to handle user authentication in a slightly different way to solve that problem. You can view my modified script here. Note that if you use it, you'll no longer need to use auth.php.

I also added a feature that gives the user 3 tries to authenticate, then calls the sleep function for 10 seconds. That is to discourage anyone from running their own script to try hacking into the administration functions.

I welcome any comments, criticisms, etc. regarding my script. Thanks.
vinyl-junkie is offline   Reply With Quote
Old 02-23-2004, 12:29 PM   #2
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
Hi. Thanks for the mod submission, but...

Your authentication method only protects the admin/index.php file. It does not offer protection should someone access other files in the admin directory.

For example, from your site:
Code:
Search Terms  Num Time  Total Results  Avg Time 
review        16        112            0.10 
sample        1         1              0.02 
born          1         1              0.01 
charter       1         0              0.00
I would not recommend using the authentication method you posted.

From php.net is the following:

Also note that until PHP 4.3.3, HTTP Authentication did not work using Microsoft's IIS server with the CGI version of PHP due to a limitation of IIS. In order to get it to work in PHP 4.3.3+, you must edit your IIS configuration "Directory Security". Click on "Edit" and only check "Anonymous Access", all other fields should be left unchecked.

Another limitation is if you're using the IIS module (ISAPI), you may not use the PHP_AUTH_* variables but instead, the variable HTTP_AUTHORIZATION is available. For example, consider the following code: list($user, $pw) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

IIS Note:: For HTTP Authentication to work with IIS, the PHP directive cgi.rfc2616_headers must be set to 0 (the default value).

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.

If the auth.php that comes with PhpDig does not work for you, then protect the admin directory with something like htaccess instead.

One thing though...

Thanks to your post, I checked the scripts in the admin diretory and anyone using PHPDIG_ADM_AUTH in the config.php file should read this thread.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 02-23-2004, 07:52 PM   #3
vinyl-junkie
Purple Mole
 
Join Date: Jan 2004
Posts: 694
Thanks for the evaluation of my script, Charter. I'm still pretty new to PHP, so I wasn't too sure if it would fly or not. That's one of the beauties of open-source though. Someone else can tell you if there are security holes.

I don't believe it is possible to protect a directory with .htaccess on a Windows server. What I've been doing is just removing the authentication requirement when I want to spider the site, then putting it back up when I'm done. Not the most convenient way of doing things, but it works.

BTW, my Windows site is on PHP 4.3.2. I guess that according to your post, that means I can't use HTTP authentication?
vinyl-junkie is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
index.php brainz How-to Forum 1 07-10-2006 09:53 AM
How to add a site from the command line or with a php script ciaran@clissman How-to Forum 1 07-18-2005 04:59 PM
Alternate Page Option When Indexing vinyl-junkie Mod Requests 0 12-12-2004 11:12 AM
ThinkDing Php MySql Search Script zizion The Mole Hole 1 11-10-2003 09:09 AM
Templates - cannot get index.php to display different one jirving How-to Forum 9 09-29-2003 06:57 AM


All times are GMT -8. The time now is 08:01 AM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.