[thelist] php login security (was: Call html page with php)
Ben Phillips
ben at inchima.com
Wed Feb 20 05:22:01 CST 2002
> But someone can still call the page with ?loginOK=yes and get in,
> no? Sorry
> that's not security.
check the process i have shown below and have stated in all of my posts on
this thread. the querystring value for $loginOK is irrelevant.
> Test it.
i have done on about fifteen community websites i have produced in php 3,
before session variables were available. process follows:
// check login
if (login is valid) {
$loginOK = "yes"
} else {
$loginOK = "no"
}
so, the querystring value for $loginOK is irrelevant.
> > your example querystring wouldn't get the
> > user in at all, because their login would be checked, rejected, and
> $loginOK
> > would be set to "no". i stand by my example.
>
> Not testing for a variable within an explicitly stated scope is:
> 1) lazy, 2)
> asking for trouble. Especially when dealing with logins.
i disagree. using your argument, you have to set every variable as a session
argument, simply because a variable can be set in the query string?
> > who said $loginOK was a session variable??
>
> Ummm. No one, but it's one way (which I was simply suggesting) to maintain
> something resembling security. Where's the security in not
> checking variable
> scope at all? Even if your only processing POST variables it's
> still a good
> idea to test against $HTTP_POST_VARS["whatever"] over $whatever.
fair point.
benji
inchima.com
More information about the thelist
mailing list