4 files changed, 43 insertions, 17 deletions

diff --git a/include/config_default.inc.php b/include/config_default.inc.php
index 08f68733b..8debb63f0 100644
--- a/include/config_default.inc.php
+++ b/include/config_default.inc.php
@@ -223,4 +223,8 @@ $conf['show_thumbnail_caption'] = true;
 // show_picture_name_on_title : on picture presentation page, show picture
 // name ?
 $conf['show_picture_name_on_title'] = true;
+
+// apache_authentication : use Apache authentication as reference instead of
+// users table ?
+$conf['apache_authentication'] = false;
 ?>
diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php
index 7190f8954..b2509e1c1 100644
--- a/include/functions_session.inc.php
+++ b/include/functions_session.inc.php
@@ -107,9 +107,9 @@ INSERT INTO '.SESSIONS_TABLE.'
 // parameter $redirect is set to true, '&' is used instead of '&'.
 function add_session_id( $url, $redirect = false )
 {
-  global $page, $user;
+  global $page, $user, $conf;
 
-  if ( $user['has_cookie'] ) return $url;
+  if ( $user['has_cookie'] or $conf['apache_authentication']) return $url;
 
   $amp = '&';
   if ( $redirect )
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index 3e8588cf7..1a2709254 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -54,7 +54,6 @@ function register_user($login, $password, $password_conf,
   // login must not
   //      1. be empty
   //      2. start ou end with space character
-  //      3. include ' or " characters
   //      4. be already used
   if ($login == '')
   {
@@ -69,23 +68,17 @@ function register_user($login, $password, $password_conf,
     array_push($errors, $lang['reg_err_login3']);
   }
 
-  if (ereg("'", $login) or ereg("\"", $login))
-  {
-    array_push($errors, $lang['reg_err_login4']);
-  }
-  else
-  {
-    $query = '
+  $query = '
 SELECT id
   FROM '.USERS_TABLE.'
-  WHERE username = \''.$login.'\'
+  WHERE username = \''.mysql_escape_string($login).'\'
 ;';
-    $result = pwg_query($query);
-    if (mysql_num_rows($result) > 0)
-    {
-      array_push($errors, $lang['reg_err_login5']);
-    }
+  $result = pwg_query($query);
+  if (mysql_num_rows($result) > 0)
+  {
+    array_push($errors, $lang['reg_err_login5']);
   }
+
   // given password must be the same as the confirmation
   if ($password != $password_conf)
   {
@@ -102,7 +95,7 @@ SELECT id
   if (count($errors) == 0)
   {
     $insert = array();
-    $insert['username'] = $login;
+    $insert['username'] = mysql_escape_string($login);
     $insert['password'] = md5($password);
     $insert['status'] = $status;
     $insert['template'] = $conf['default_template'];
diff --git a/include/user.inc.php b/include/user.inc.php
index b388943c0..56b36039c 100644
--- a/include/user.inc.php
+++ b/include/user.inc.php
@@ -91,6 +91,35 @@ if (!isset($user['id']))
   $user['is_the_guest'] = true;
 }
 
+// using Apache authentication override the above user search
+if ($conf['apache_authentication'] and isset($_SERVER['REMOTE_USER']))
+{
+  $query = '
+SELECT id
+  FROM '.USERS_TABLE.'
+  WHERE username = \''.mysql_escape_string($_SERVER['REMOTE_USER']).'\'
+;';
+  $result = pwg_query($query);
+
+  if (mysql_num_rows($result) == 0)
+  {
+    register_user($_SERVER['REMOTE_USER'], '', '', '');
+
+    $query = '
+SELECT id
+  FROM '.USERS_TABLE.'
+  WHERE username = \''.mysql_escape_string($_SERVER['REMOTE_USER']).'\'
+;';
+    list($user['id']) = mysql_fetch_row(pwg_query($query));
+  }
+  else
+  {
+    list($user['id']) = mysql_fetch_row($result);
+  }
+
+  $user['is_the_guest'] = false;
+}
+
 $query = '
 SELECT u.*, uf.*
   FROM '.USERS_TABLE.' AS u LEFT JOIN '.USER_FORBIDDEN_TABLE.' AS uf