[thelist] php login security (was: Call html page with php)

Andrew Forsberg andrew at thepander.co.nz
Wed Feb 20 04:50:01 CST 2002


> then a user can fake a login, by calling the page with loginOK in the
> querystring:
> http://www.........com/page.php?loginOK=yes
>
> you should really use this instead:
>
> if($loginOK == "yes") {

Better still:

if ($HTTP_SESSION_VARS["loginOK"]=="yes") {
    // do your stuff
} else {
    // ...
}

your example has the same flaws as the previous one. That is, someone can
still send an url with:

http://foobar.com/?loginOK=yes

and your user only area will be accessible. Session vars cannot be faked,
however, only your program can set them.

Cheers
Andrew




More information about the thelist mailing list