register globals question

[sKunKbad]

With register globals off, this doesn't work:

 

<?
/* Check for values in $PHP_AUTH_USER and $PHP_AUTH_PW */

if ((!isset($PHP_AUTH_USER)) || (!isset($PHP_AUTH_PW))) {

    /* No values: send headers causing dialog box to appear */
    header('WWW-Authenticate: Basic realm="My Private Stuff"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Authorization Required.';
    exit;

} else if ((isset($PHP_AUTH_USER)) && (isset($PHP_AUTH_PW))){

    /* Values contain some values, so check to see if they're correct */

    if (($PHP_AUTH_USER != "revelation") || ($PHP_AUTH_PW != "genesis")) {
       /* If either the username entered is incorrect, or the password entered is incorrect, send the headers causing dialog box to appear */
       header('WWW-Authenticate: Basic realm="The test of security page"');
       header('HTTP/1.0 401 Unauthorized');
       echo 'Authorization Required.';
       exit;
    } else if (($PHP_AUTH_USER == "revelation") || ($PHP_AUTH_PW == "genesis")) {
       /* if both values are correct, print success message */
       echo "<P>You're authorized!</p>";
    }
}
?> 

 

If I turn register globals on, it works fine, but I see that having it on is some kinda security risk or something, so what can i do? Does anyone have a basic way to password protect a file using php that doesn't need register globals on?

 

Thanks for your help.

[btherl]

Try using $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] instead, and switch off register globals.  That should be safe.

 

Those variables are provided by the web server, so you find them in the $_SERVER array.

[sKunKbad]

Thanks btherl, what you suggested worked perfectly. I might need more help on this project. Specifically, I want to link multiple pages together, and have them all secured in this sort of way. Maybe there is a better way? I don't want people to have to log in every page though. Once they pass the login, it would be nice if they stayed logged in until they close their browser.

[btherl]

They'll stay logged in as long as the url matches where they logged in.  Browsers will keep sending the same username and password with every request.  I'm not sure what happens when you move to another url though.

[JasonLewis]

and just so you no, sKunKbad, if you had register globals on then you wouldnt need the $_SERVER part. but that is not recommended. keep it off.

[sKunKbad]

Well, I'm obviously no professional when it comes to php, but i put a link in the page to another page that I copy and pasted the same php password protection code as above, and it didn't make me type in the password again when i tested it, so im assuming that its going to work perfectly for what i had in mind. I do a website for free for some dood that smuggles Bibles into China, and he wants a secure area of his website so he can post special pics and message to donors and such. I don't know how 100% secure this is the way i have it, but I'm willing to listen if you have any better suggestions. I guess he might be paranoid about the Chinese govt ya know. Thanks for your time!

[btherl]

Not that I condone any illegal activities, but plain http authentication isn't a good level of security against a government.

 

I would use SSL (https) as well, and ensure that the URLs (including any "get" arguments) don't contain any sensitive information.  Still not perfect, but a vast improvement over unencrypted http.