[thelist] php login security (was: Call html page with php)
Andrew Forsberg
andrew at thepander.co.nz
Wed Feb 20 04:50:01 CST 2002
> then a user can fake a login, by calling the page with loginOK in the
> querystring:
> http://www.........com/page.php?loginOK=yes
>
> you should really use this instead:
>
> if($loginOK == "yes") {
Better still:
if ($HTTP_SESSION_VARS["loginOK"]=="yes") {
// do your stuff
} else {
// ...
}
your example has the same flaws as the previous one. That is, someone can
still send an url with:
http://foobar.com/?loginOK=yes
and your user only area will be accessible. Session vars cannot be faked,
however, only your program can set them.
Cheers
Andrew
More information about the thelist
mailing list