[thelist] php login security (was: Call html page with php)
Peter Johansson
peter at johansson.org
Wed Feb 20 04:58:00 CST 2002
On Wed, 20 Feb 2002, Ben Phillips wrote:
> if you are just testing to see if $loginOK has been set:
> if($loginOK) {
> // do code for logged in user - ie. content
> } else {
> // do code for not logged in user - ie. login box
> }
>
> then a user can fake a login, by calling the page with loginOK in the
> querystring:
> http://www.........com/page.php?loginOK=yes
>
> you should really use this instead:
>
> if($loginOK == "yes") {
> ...
> and set loginOK to "yes" or to "no" depending on whether the user
> has logged in or not.
Thats's a good suggestion. And to further improve security for this kind
of "attack" I suggest turning off the register_globals in your
php-configuration. That way the user-supplied variables won't be
introduced into the global namespace automatically, but instead placed in
$_POST, $_GET and so on (or $HTTP_POST_VARS, $HTTP_GET_VARS, ...) if
you're using an older version of PHP (<4.1.0).
The $_POST, $_GET, ... variables are automatically global so they're
always accessible in your functions.
Regards,
Peter
More information about the thelist
mailing list