On May 8, 7:53*pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Mark Reed wrote:
> > So, how can I NOT have PHP_AUTH_PW set? *I'd kinda rather not have
> > people's passwords just hanging around in $_SERVER for code to do
> > whatever it wants with it.
>
> Unless someone hacks your server, it isn't a problem. *But if someone
> hacks the server, you have more important things to worry about.

It's not quite that simple. I'm more concerned about passwords
accidentally being revealed than I am about malicious attacks, since
the server is on a corporate LAN that's not exposed to the Internet.
Having the password hang around means that something as simple as
adding a print_r($_SERVER); for debugging purposes will cause the
password to show up in clear text in the browser window. That's not
cool.