[thelist] PHP / MySQL User Login System

Andrew Forsberg andrew at thepander.co.nz
Wed Feb 27 22:33:00 CST 2002


>Cool! That's what I'm talking about.

Actually, not so cool. I just had a cigarette, and can't believe I
posted that code... :)

>  > if ($authenticated) {
>>     switch ($page) {    // where $page is the page to display
>>     case "this_site":
>>         include '/whatever/whatever/whatever.php';
>>         break;
>>     case "another_site":
>>         include '/blah/blah/blah/blah.php';
>>         break;
>>  // etc...
>>     default:
>>         include '/my/home/page.php';
>>         break;
>>     }    // end switch
>>  } else {
>>     include '/my/home/page.php';
>  > }

A far better method would be to switch the account they're trying to
access and verify before including. So:

switch ($HTTP_GET_VARS["account"]) {
case "this_site":
case "that_site":
case "the_other_site":
case "hey_that_is_my_site":
     if ($HTTP_GET_VARS["account"] == $PHP_SESSION_VARS["auth_account"] {
         include '/home/yoursite/' . $HTTP_GET_VARS["account"] .
$HTTP_GET_VARS["page"];
         exit();
     }
     break;
} // end switch

include '/home/yoursite/index.php';  // everyone else gets this

Otherwise there's a massive gaping hole for anyone with a legit
account to walk through any other account. Not very cool at all, and
my sincerest apologies.

I'm not quite sure what sort of problems you can expect from an
approach like this when it comes to other form variables. You'd need
to be vewy vewy careful with GET variables in your staging urls, it's
likely to get right messy. Anyhoo...

Cheers
Andrew


--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/



More information about the thelist mailing list