[thelist] php login security (was: Call html page with php)
Ben Phillips
ben at inchima.com
Wed Feb 20 04:23:01 CST 2002
> I've used this, which worked in a login-restricted environment.
>
> <?
> If($loginOK){
> include("theContent.php");
> }else{
> include("loginForm.php");
> }
> ?>
<tip type="php login security" author="benji">
if you are just testing to see if $loginOK has been set:
if($loginOK) {
// do code for logged in user - ie. content
} else {
// do code for not logged in user - ie. login box
}
then a user can fake a login, by calling the page with loginOK in the
querystring:
http://www.........com/page.php?loginOK=yes
you should really use this instead:
if($loginOK == "yes") {
...
and set loginOK to "yes" or to "no" depending on whether the user has logged
in or not.
</tip>
using your method, you could unset($loginOK) if the user wasn't logged in -
but the code is a lot cleaner if you explicity state whether loginOK is true
or not.
benji
inchima.com
More information about the thelist
mailing list