Miles Thompson <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> IIS I'm not familiar with, and Apache has a native scheme involving
.htaccess.
>
> If you want a portable authentication method, I'd recommend authenticating
> against a list of users/passwords contained in a database. Using MySQL,
> PostgreSQL or Interbase would keep your database platform neutral, and low
> cost.
>
> Here's code picked up from a Rasmus Lerdorf article which authenticates
> against a MySQL database, there are variations on this everywhere. I put
> this in a file called auth.inc, and then the top of every page which
> requires authentication simply includes "auth.inc".
>
> ------------cut------------
> <? require( "dbname.inc" );
[SNIP]
Better yet, as this *is* supposed to be secure, call your files .php as
opposed to .inc. I have seen this far too many times to count now, and it's
a massive developer induced security hole. If you name your files .inc, 99%
of webservers, if asked for a .inc file will pass it straight through as
plain text....thus exposing usernames, passwords, possible bugs in your code
and god knows what else. If you name it .php, it gets parsed as a PHP
script, and so no output.
--
Rick Hodger
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
