On Sun, 17 Nov 2002, Rasmus Lerdorf wrote: > > > But why do you assume that the documentation was right and the code was > > > wrong and not the other way around? > > > > Because it was working like documented before. (When the documentation > > was written). Anyway, not sure what to do with this one... > > I don't have the energy to do a cvs check, but I remember adding this > restriction years ago (php2 days) and then removing it (by commenting out > the check) ages ago as well. I'm not sure PHP4 ever had this check turned > on (the commented out check was ported to php4), so the documentation has > not reflected reality in a very long time.
I agree that this change is going to break a lot of code. Some of it is my own :) I suggest that we always populate $PHP_AUTH_USER since that one has no security consequences and the information is awailable elsewhere ($_SERVER['REMOTE_USER']). $PHP_AUTH_PW should be set when there are no safe_mode/open_basedir restrctions in effects. Would this solution be satisfactory to everyone? Edin -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php