[thelist] php login security (was: Call html page with php)
Ben Phillips
ben at inchima.com
Wed Feb 20 04:57:01 CST 2002
> your example has the same flaws as the previous one. That is, someone can
> still send an url with:
>
> http://foobar.com/?loginOK=yes
yes but i said that when checking the login, $loginOK is set to "no" or
"yes". therefore, it doesn't matter what the user puts in the querystring,
because the code sets $loginOK. your example querystring wouldn't get the
user in at all, because their login would be checked, rejected, and $loginOK
would be set to "no". i stand by my example.
> and your user only area will be accessible. Session vars cannot be faked,
> however, only your program can set them.
who said $loginOK was a session variable??
benji
inchima.com
More information about the thelist
mailing list