> -----Original Message----- > From: Mikey [mailto:mikey@;splatted.net] > Sent: Monday, October 28, 2002 1:18 PM > To: Jack Kelly Dobson; [EMAIL PROTECTED] > Subject: RE: [PHP-WIN] PHP require() circumvents IIS security? Please > help. > > > > Hello, > > > > I just noticed something very concerning and hope someone has some > > answers... > > > > I'm running php 4.2.3 under W2k IIS as a .dll. > > > > I have a directory set up with no anonymous access to it and > > security set to > > "Integrated Windows Authentication". > > > > If I try to load the page directly from the browser > > "/my_site/my_secure_directory/password_protected_file.php" I get the > > password dialog from Windows asking me to log in. > > > > On the other hand: > > > > If I require the file from a non-protected file; say > "/index.php" has the > > line: > > > "require('/my_site/my_secure_directory/password_protected_file.php');" in > > it, I'm not asked for a password and the page is included in the output. > > > > Is there something I'm missing here, or is this a bug? > > It's not a bug - just a mis-understanding of what the authentication > mechanism is for... > > The directory security you have set is for users trying to access > your files > via HTTP (the web), whereas require is a tool for the developer to easily > re-use code, accessing the files directly from disk rather than via HTTP. > > HTH, > > Mikey > <-- Insert stream of consciousness here! >
Actually a misunderstanding of how require() works, but the answer I was looking for. Can I assume by this that all of the PHP functions that access files work outside of the scope of the webserver? I'm suffering from "just enough knowledge to get myself in trouble" syndrome. Thanks for the quick response. j- -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
