Posted by Jason Barnett on 05/13/05 23:04

K.S. Tang wrote:
> Thanks you, There is no ['PHP_AUTH_USER'] nor ['PHP_AUTH_PW'] in var_dum()
> I've asked the server administrator, He said he has installed a php security
> patch two days ago.
>
> Could anyone tell me how to config the php server so that ['PHP_AUTH_USER']
> and ['PHP_AUTH_PW'] can be access or avaliable to me and the web browser
> ????

By default the php.ini settings should enable all PHP scripts to use
$_SERVER variables (i.e. values that are provided by Apache / IIS /
whatever). AFAIK you can limit this by changing the php.ini's
variables_order so that it doesn't include 'E'; or you can use some
combination of safe_mode, safe_mode_allowed_vars and / or
safe_mode_protected_vars to accomplish this as well. The manual says
that all of these except for variables_order are PHP_INI_SYSTEM, so the
only one of these settings that you can possibly change at runtime would be:

Within PHP it is sometimes possible to use getenv() to get the value of
an environment variable. I don't have the time to test this but you
might be able to try:

<?php

ini_set('variables_order', 'EGPCS');

$user = getenv('PHP_AUTH_USER');
$pw = getenv('PHP_AUTH_PW');

/** search this output for PHP_AUTH_USER or PHP_AUTH_PW */
var_dump($GLOBALS);

?>

[Back to original message]