Mark Reed wrote:
> On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> If you can't trust your developers, you're in trouble.
>>
>> And anything you take out they can easily bypass.
>
> For the third time, I'm not worried about malicious attacks. I don't
> care how much I trust my developers... and in this case, I'm also the
> developer, so that's a lot of trust... I don't want anyone's passwords
> exposed. That said, I'm not trying to make it impossible to retrieve
> passwords - all I'm trying to do is make it not automatic. This does
> not seem to me like an outlandish request.
>
> I don't even understand why the password is made available in the
> first place. It seems that either you're doing the authentication
> with PHP code, in which case the password is submitted to PHP as a
> form field, or you're doing it in the web server, in which case the
> PHP has no need to ever see the password.
>
> Anyway, if you don't know of a way to prevent this behavior, that's
> fine, but please stop telling me that it's unreasonable for me to want
> to do so.
>
> I'd settle for a way to insert a script that unsets it before any
> other PHP is run. I don't suppose there's any way to insert a PHP
> script that gets executed ahead of any other PHP code on the site?

The only person you'd be protecting against is you. I think you should stop
getting fixated on something that is a total waste of time and get on with
something useful.