On May 30, 2013 8:10 AM, "Jim Giner" <jim.gi...@albanyhandball.com> wrote:
> On 5/29/2013 9:38 PM, tamouse mailing lists wrote:
>> Okay, first off, your application *has* to have some entry point that
>> *is* accessible to a browser; otherwise nothing will find it.
> Once again - I was wrong in my suggestion as Ashley has pointed out so
correctly.  Had to test it out this morning only to discover that I had
never done quite that kind of Header redirect before.
> So - the include method still works, as would the single script
'controller' method.  Within a php script any file is accessible (within
your domain at least) and may therefore be included and execute.

I want to throw in a caveat here, and that is the open_basedir directive,
wbicb limits where you can include files from.

On the other hand, if you must have the target script in your
web-accessible tree, simply establish some kind of security handler and add
logic to your page(s) to check permissions before displaying anything.
 This handler could be based upon session vars, cookies, db entries (my
pref).  Once established it can be a universal addition to any and all of
your appls.
> My personal method is to create a db table containing an appl name, page
name, and a non-unique security level (I use an integer).  Then have an
admin screen for creating userids for an appl with multiple recs each
containing a security level for that user for that appl. Then have a signon
method that validates credentials and builds a session array containing all
the user's security levels.  In every page that I want secured, I call a
function with that script's internal pagename and appl name and confirm
that the page's sec level is contained in the user's session array.  I also
have a master level (99) that if present gives global access for myself as
administrator.  There's a bit more to it, but that's my security method.
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to