Using PHP natively to authenticate to external password database is a very risky proposition. After authentication, PHP stores both username and password in its global environment variables, readily accessible by php scripts using $_SERVER[’PHP_AUTH_USER’] and $_SERVER[’PHP_AUTH_PW’]. Which is quite naive of the PHP developers. Why would you EVER want to store the password in an variable is beyond me.

If you are planning to secure your php pages/scripts using an external authentication database such as LDAP, use an external authentication method instead of PHP’s native methods. For e.g. Apache’s auth_ldap.

Technorati Tags: php, ldap, php_auth_pw