Mark Reed wrote:
> On May 8, 7:53 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Mark Reed wrote:
>>> So, how can I NOT have PHP_AUTH_PW set? I'd kinda rather not have
>>> people's passwords just hanging around in $_SERVER for code to do
>>> whatever it wants with it.
>> Unless someone hacks your server, it isn't a problem. But if someone
>> hacks the server, you have more important things to worry about.
>
> It's not quite that simple. I'm more concerned about passwords
> accidentally being revealed than I am about malicious attacks, since
> the server is on a corporate LAN that's not exposed to the Internet.
> Having the password hang around means that something as simple as
> adding a print_r($_SERVER); for debugging purposes will cause the
> password to show up in clear text in the browser window. That's not
> cool.
>
>
>

If you can't trust your developers, you're in trouble.

And anything you take out they can easily bypass.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================