> --- Jeff McKeon <[EMAIL PROTECTED]> wrote: > > $_SESSION['userid'] = $userid; > > $_SESSION['userpassword'] = $userpassword; > > [snip] > > > Anything look wrong or insecure with all of this? > > The only thing that catches my attention is your assignments > for $_SESSION['userid'] and $_SESSION['userpassword']. I > assume you are performing some strict data validation on > $userid and $userpassword before this assignment, right? If > not, this presents a significant risk, because $_SESSION is a > trusted array (it comes from the server, not the client). > > Hope that helps. > > Chris
Well both variables $userid and $userpassword are bounced off of a user database table, if the username/password don't match then the session variables are cleared with a session_destroy() call. Is that a good enough validation? [code begin] session_start(); if(!isset($userid)) { login_form(); exit; } else { $_SESSION['userid'] = $userid; $_SESSION['userpassword'] = $userpassword; $username = auth_user($userid, $userpassword); if(!$username) { echo "user " . $userid . $userpassword . " Authorization failed. " . "You must enter a valid userid and password combo. " . "Click on the following link to try again.<BR>\n"; echo "<A HREF=\"$PHP_SELF\">login</A><BR>"; echo "If you do not have login, please contact Operations to obtain one.<br>\n"; session_destroy(); exit; } else echo "welcome, $username!"; echo gmmktime(); echo "<a href='./test_auth.php'>Continue</a>"; echo "<a href='./new_ticket.php'>Ticket</a>"; } function auth_user($userid, $userpassword) { global $default_dbname, $user_tablename; $link_id = db_connect($default_dbname); $query = "SELECT username FROM $user_tablename WHERE userid = '$userid' && userpassword = password('$userpassword')"; $result = mysql_query($query); if(!mysql_num_rows($result)) return 0; else { $stamp = gmmktime(); $query2 = "update $user_tablename set idle_time = $stamp where userid = '$userid'"; $result2 = mysql_query($query2); $query3 = "select CanEdit from $user_tablename where userid = '$userid'"; $result3 = mysql_query($query3); $query_data3 = mysql_fetch_row($result3); $_SESSION['CanEdit'] = $query_data3[0]; $query_data=mysql_fetch_row($result); return $query_data[0]; } } [code end] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php