du9757 2016-03-22 08:25
浏览 49
已采纳

PHP头认证奇怪的代码

I copied from PHP.net code for header authentication

Here is the code:

<?php
$valid_passwords = array ("Itay" => "1234", "beta" => "password");
$valid_users = array_keys($valid_passwords);
$user = $_SERVER['PHP_AUTH_USER'];
$pass = $_SERVER['PHP_AUTH_PW'];
$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);
if (!$validated) {
  header('WWW-Authenticate: Basic realm="this is testing area. beta testers only!"');
  header('HTTP/1.0 401 Unauthorized');
  die ("Not authorized");
}
// If arrives here, is a valid user.
?>

Now, my question is why does this line:

$validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

is used instead of

$validated = $pass == $valid_passwords[$user];

  • 写回答

1条回答 默认 最新

  • dongyunshan4066 2016-03-22 08:34
    关注
    $validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

    This row check both that user exists and password is correct.

    if you remove user check, then user ="nonexisting" and password= "" will be valid (and of course, there will be notice.

    check:

    $pass = "";
$user = "any non existing"
$validated = ($pass == $valid_passwords[$user]); //here will be notice
var_dump($validated);
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥60 求一个简单的网页(标签-安全|关键词-上传)
  • ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图