[thelist] php login security (was: Call html page with php)
Andrew Forsberg
andrew at thepander.co.nz
Wed Feb 20 05:09:01 CST 2002
> > your example has the same flaws as the previous one. That is, someone
can
> > still send an url with:
> >
> > http://foobar.com/?loginOK=yes
>
> yes but i said that when checking the login, $loginOK is set to "no" or
> "yes".
But someone can still call the page with ?loginOK=yes and get in, no? Sorry
that's not security.
> therefore, it doesn't matter what the user puts in the querystring,
> because the code sets $loginOK.
Test it.
> your example querystring wouldn't get the
> user in at all, because their login would be checked, rejected, and
$loginOK
> would be set to "no". i stand by my example.
Not testing for a variable within an explicitly stated scope is: 1) lazy, 2)
asking for trouble. Especially when dealing with logins.
> > and your user only area will be accessible. Session vars cannot be
faked,
> > however, only your program can set them.
>
> who said $loginOK was a session variable??
Ummm. No one, but it's one way (which I was simply suggesting) to maintain
something resembling security. Where's the security in not checking variable
scope at all? Even if your only processing POST variables it's still a good
idea to test against $HTTP_POST_VARS["whatever"] over $whatever.
Cheers
Andrew
More information about the thelist
mailing list