On Friday, March 1, 2002, at 06:11  PM, James Taylor wrote:

> IF a user is logged on, they can post, if not they don't even see the 
> option.
> Instead of doing a SQL query everytime they look at the posts, I was 
> thinking
> of registering a variable called like $true where if they're logged on, 
> it's
> set, and if it's set they see the option to post.  The only thing I'm 
> worried
> about though is that someone could probably figure out to type in 
> something
> like comments.php?true=1 and that would allow anonymous posting, which I
> don't want.  Is there anyway to set a variable that can't be set in a 
> query
> string?  Or, is there even a better way of doing something like this?

Have you investigated the possibility of turning register_globals=off ?  
That's exactly why this recommendation was made.  This keeps any GET 
variables passed in the querystring (like the way you describe true=1 
being passed) from being interpreted as session variables.  When 
register_globals=off, you have much more control and a much better sense 
of where your variables are coming from and which variables you are 
privileging to perform actions.  This is because every variable (apart 
from variables that are created only for the purposes of the current 
script) is marked as being within the $_POST or $_GET or $_SESSION 
array, etc.  Someone can send GET variables like comments.php?true=1 all 
they want, but your script doesn't globalize them -- and your script is 
also specifically programmed to only check the $_SESSION array for the 
presence of "true=1" (i.e. :  if ($_SESSION['true'] == 1) etc).  Thus 
any extraneous GET variables just bounce off your script, having no 
effect unless the script specifically looks for $_GET['true'] or 



Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to