SAFE MODE!!
That's exactly what I was looking for...
It did the trick.
Thanks Chris.
-----Original Message-----
From: Chris [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 08, 2001 4:18 PM
To: php
Subject: Re: [PHP] security help
If you include a file as a link, so the browser sees:
www.myserver.com/sercuredir/image.jpg.
Than yes, you will be asked for a user and pass.
If you include the file in the code, like including another script file, or
reading the raw image data and outputting it, then .htaccess will be
ignored.
Basicaly, if you don't have safe mode php on, then using include, the code
and read any file that the webserver id has permission for.
> > > In addition,
> > >
> > > (if using .htaccess) They would only be able to read the .htpasswd
from
> > > public directory if they had first authorised themselves. The browser
> will
> > > prompt them to identify before it allows files from a protected
> directory to
> > > be included.
> > >
> >
> > James,
> >
> > are you sure about this? Afaik, no user authentication applies to PHP
> > include() calls. This would require PHP to integrate much closer with
> > Apache than I think it does (and makes sense).
>
> Hi Ben,
>
> I'm not positive, (btw, what does Afaik mean?), but I'd assume any request
> to files that are inside a directory that has an htaccess file would be
> ignored by anything until the username and password have been included
(I've
> used a PHP include on files before, which refer to files such as jpegs and
> gifs that reside in a protected directory, and I've run into the problem
of
> having to authenticate before the images are displayed).
>
> There's a good chance I'm wrong, but I'll be sure to double check tomorrow
> morning.
>
> On another note, I seem to have problems with opendir() and readdir()
(which
> one of the two I'm not sure). A simple script I've written will list all
> files in a directory I specify on one server, yet the same script (with
the
> document root changed accordingly) will return nothing with the other.
> Both servers are running the same version of PHP (4.02). It's probably
> something simple I've missed, though I'm sure that the CHMOD settings are
> the same, and I'm getting no script errors. Any ideas?
>
> James.
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
