[SL] Re: Security problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

FOR GOD SAKE !!

WHO say that sql-ledger should include php !!?????

I just posted that example in php to **illustrate** the
whole thing !
so you can see there are NO .htpasswd files around using
http auth.
(and because it's the languaje I have at handy)

OF COURSE, iif sql-ledger incorporates http auth,
it should be written in perl.

/sergio
pd: PLEASE, stop messing things out...

----- Original Message -----
From: "Keith Mastin" <km...@be...>

> This is all pretty sweet, but adding php can be pretty confounding to a
user who
> is not using rpm or apt. Also, I am not sure that php is available to
someone
> using one of the "tiny" webservers.
> But thanks for posting the code!
>
> Quoting Sergio A. Kessler from [30/03/02 19:17 -0300]:
> > agreed 1000%, BUT
> > using http auth doesn't need to use apache htpasswd files !
> >
> > the user administering sql-ledger doesn't have to *anything*
> > different from now.
> >
> > take a look at this php script of my own, and see that I'm
> > using http auth, challenging against a postgres "users" table:
> >
> > <?php
> >
> >   header("Expires: Sat, Jan 01 2000 01:01:01 GMT");
> >   // past time, for preventing browser's cache, just in case
> >
> >   if (!isset($PHP_AUTH_USER))
> >   {
> >       header("WWW-Authenticate: Basic realm=\"ezDoc\"");
> >       header("HTTP/1.0 401 Unauthorized");
> >   }
> >   else
> >   {
> >       if ( ($PHP_AUTH_USER == "") or
> >            ($PHP_AUTH_PW == "") )
> >       {
> >           echo "Bad login.";
> >           exit;
> >       }
> >
> >       $db = DB::connect($ez_doc_db_dsn);
> >       if (DB::isError($db)) {
> >           die ($db->getMessage());
> >       }
> >
> >       $qry = "select * from ez_doc_users where usr_loginname =
> > '$PHP_AUTH_USER' and usr_password = '$PHP_AUTH_PW'";
> >
> >       $result = $db->query($qry);
> >       $row = $result->fetchRow(DB_FETCHMODE_ASSOC);
> >       $db->disconnect();
> >
> >       if ($row["usr_realname"] != "") {
> >           $usr_realname = $row["usr_realname"];
> >           $usr_loginname = $row["usr_loginname"];
> >       } else {
> >           echo "Bad login.";
> >           exit;
> >       }
> >   }
> >
> > ?>
> >
> > see ? pretty easy, there is no need to setup *anything*,
> > and the admin can still use the web interface for adding
> > users...
> >
> > you just send a special string to the browser and then
> > you can make the challenge against the database, a flat
> > file or your own, etc
> >
> > as far as the admin is concerned, *nothing* has changed...
> >
> > /sergio
> > ps: php provides automatically the global variables
> > PHP_AUTH_USER & PHP_AUTH_PW, I'm sure perl does have
> > something similar...
>
> --
> Keith Mastin      km...@be...
> BeechTree Information Technology Services Inc.
> 137 Laird Drive    M4G 3V5    Tel(416)696-6070
>    http://www.beechtree.ca
>
>