Hi

I am trying to use the below code to automatically update a .htpasswd file. The file is updated but when I try to login using the USERNAME / PASSWORD I have added the file it does not work. I must have a problem using the crypt() function???? Or should I be doing something completely different???

if (CRYPT_STD_DES == 1) {
echo ' We are using Standard DES: ';
}

$salt = "FB";
$user = $POST['username'];
$pass = crypt($POST['password'], $salt); // I have tried this using a salt like this.
// I have also tried it without a salt.

$filename = '.htpasswd';

$somecontent = $user.":".$pass."\r\n";

// Let's make sure the file exists and is writable first.
if (is_writable($filename)) {

// In our example we're opening $filename in append mode.
// The file pointer is at the bottom of the file hence
// that's where $somecontent will go when we fwrite() it.
if (!$handle = fopen($filename, 'a')) {
echo "Cannot open file ($filename)";
exit;
}

// Write $somecontent to our opened file.
if (fwrite($handle, $somecontent) === FALSE) {
echo "Cannot write to file ($filename)";
exit;
}

echo "Success, wrote ($somecontent) to file ($filename)";

fclose($handle);

} else {
echo "The file $filename is not writable";
}

Your help is most appreciated :-)

Jess

    .htaccess expects the passwords to be encrypted with the unix crypt function, which is not des but rather a one way hash.

    BTW: If you're giving php write access to your .htaccess file you may as well not even have a .htaccess file.

      Thanks for the input :-)

      My script above use the crypt() function?? The bit of code which mentions crypt_std_des is just a test to see what method the crypt function is using. I do not know how to change this?

      I am only writing to the .htpasswd file? Not the .htaccess file?

      Not sure what you mean 'If you're giving php write access to your .htaccess file you may as well not even have a .htaccess file.'?

      Thanks for you help :-)

        Originally posted by Jess1
        My script above use the crypt() function?? The bit of code which mentions crypt_std_des is just a test to see what method the crypt function is using. I do not know how to change this?

        try using exec("crypt($string)"); instead of the built in crypt command.

        I am only writing to the .htpasswd file? Not the .htaccess file?

        So John Cracker figures out how to run his php scripts on your system. John Cracker can now delete entries from your htpasswd file, enter his own or both. Big, big security hole. You're better off to use database stored user information.

          Thanks for the help :-)

          I will try using exec("crypt($string)"); and let you know.

          I would use a database but I can't point .htaccess to a database as I am using a shared server and would have to modify the .conf file which would affect everyone.

          I would love to just use php, mysql and sessions to manage access to my site. However, I am trying to protect images? Once people figure out the path to the images they will be able to get them unless I use .htacces?

          Or is there another way?

          Thanks very much

          Jess

            sure use the php method to access the images through your web site. Then create a php file that when called uses [man]imagecreatefrompng[/man] or [man]imagecreatefromjpg[/man] as is appropriate. Then use [man]header[/man] to set the appropriate header. Then use [man]imagepng[/man] to send the image to the user. Then in your .htaccess file for this directory set it to deny all, php can still read from the directory but web browsers can't get there.

            The image passthrough file would probably look something like this:

            <?php
$imgDir = 'protected/images/';

/* code to make sure the person is logged in. */

//if they did not request a file
if(!array_key_exists('filename',$_GET))
    die();
//if the requested file does not exist in the imgDir
elseif(!fileexists($imgDir . $_GET['filename']))
    die();

if(ereg('\.jp[e]*g$',$_GET['filename'])
    $im = imagecreatefromjpeg($imgDir . $_GET['filename']);
elseif(ereg('\.png$',$_GET['filename'])
    $im - imagecreatefrompng($imgDir . $_GET['filename']);
else
    die();

header('File-type: image/png');
imagepng($im);
imagedestroy($im);
?>

            Code is untested and probably contains bugs

              Write a Reply...