.htaccess authentication control via PHP

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi everyone,

I'm working on a project that requires multiple registered users to be
able to authenticate, and view an RSS feed. For securing an RSS feed,
the options are pretty slim, and so the basic .htaccess flavour of
authentication is pretty much the only way forward.

I've set up the necessary authentication files on the server side, and
that all works fine. What I need to do now, is create a script that
can modify the file containing valid usernames and passwords, so that
new users can be added automatically when necessary.

In principle this isn't a problem (as in, reading and writing to the
file isn't). The problem arises with the password encryption. You see,
the passwords are (obviously) encrypted before they're stored in the
file on the server. This is all fine and dandy when done directly via
the command line - but it seems that when I try to write to the file
via the PHP script, it doesn't encrypt the passwords in the same way.
And thus, when it comes to logging in, the valid password doesn't
match, and is rejected.

I have analysed the contents of the files - one created via the shell
htpasswd command, and one created via the PHP script, and I can
confirm that for the same password, the encryption "result" is

Thus it must follow that the server is running a different encryption
algorithm to the one in the PHP script, which looks like this:

        $thePW = crypt(trim($thePW),base64_encode(CRYPT_STD_DES));
        return $thePW;

I have tried 2 or 3 pre-made classes, from:


But always get similar results - the way the password is encrypted
seems to be foreign to the server's native encryption method, and thus
the passwords never check out.

Would anybody be able to give me any advice on how one might get
around this. Is there anyway to determine the exact method of
encryption the server is using? Is there a standard way of doing this
via PHP that I'm just totally missing?

Any help would be greatly appreciated - thank you very much,

Re: .htaccess authentication control via PHP

On 1 Apr., 16:12, timhillonl...@gmail.com wrote:
Quoted text here. Click to load it

Arent you able to call htpasswd by exec or system? That would be my
way to solve it ... :(



Re: .htaccess authentication control via PHP

Quoted text here. Click to load it

Hi Cem, thanks for your response.

I had considered that, but what prevented me doing it was that the
htpasswd command to create a user is not just a single line - a
dialogue is required. You first enter:

 htpasswd [path] username

...and then you're prompted to enter (and then confirm) a password. So
the problem is I have no idea how you'd be able to carry out this
dialogue via PHP - but please someone slap me silly if I'm being


Re: .htaccess authentication control via PHP

timhillonline@gmail.com wrote:
Quoted text here. Click to load it

Have a look at the -b option of htpasswd.

Re: .htaccess authentication control via PHP

timhillonline wrote:

Quoted text here. Click to load it

htpasswd -b [path] username password

Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux, up 6 days, 3:15.]

                           Cognition 0.1 Alpha 6
         http://tobyinkster.co.uk/blog/2008/03/29/cognition-alpha6 /

Re: .htaccess authentication control via PHP

Quoted text here. Click to load it

Awesome. That worked a treat!

Thank you so much Toby, and also everyone else who contributed!

You guys are terrific...

Re: .htaccess authentication control via PHP

timhillonline@gmail.com wrote:
Quoted text here. Click to load it

Try this one: works for me.

function htadduser($filename,$logname, $password)
  $logname=rtrim($logname); //strip any trailing spaces
  $fp=fopen($filename,"r+"); // open reading AND writing
    while (!feof($fp))
         $buffer = fgets($fp, 4096);
         $username=explode(":",$buffer); //extract the actual username
         if($logname==$username[0]) // can't add an existing user.
             return -1;
    // OK we are at the file end, and we haven't found an identical user.
    // time to get an encrypted password
    $salt.=chr(rand(64,126)); // two character salt to force DES
     fseek($fp, 0, SEEK_END); // make sure we ARE at the file end..
     fprintf($fp,"%s:%s\n", $logname,$hash);
     fclose ($fp);
     return 0;
  return -1; // no password file!

Site Timeline