> Having recently switched from php 4.0.0 to 4.2.3 I quickly realized
> change in variable handling. I still experience problems using the
> and $_GET globals so I currently have my register globals ON so I can
> the ability to pass variables from page to page without using the
> and $_GET methods although I would really like to use them.
> My current project has me creating a login interface for users to
access a
> form and file upload tools. I am using only 1 set of scripts for
> everyone. Each user is assigned a path to their file area and these
> records are kept in a MySQL database along with username, password and
> contact info. As Each page is loaded the ID variable is checked and
> data is then loaded for them for use on that page. If the ID variable
> null they are given an error and redirected to the login page. This is
> keep them from bookmarking the index page for the tools.
> My question is this:
>  If I were to turn off register_globals and use the $_POST and $_GET
> methods, what are the chances of a user getting someone else's
> information using only one set of scripts for all. There could be up
> 700 people using the script at any given time. Cookies are not an
> as many users may have them turned off and sessions have never worked
> me or at least I have never figured them out to work the way I think
> should.

Using _POST or _GET doesn't make your scripts any more secure. It is
still all dependant on how you write them. If you assume that the ID
coming from _POST or _GET is the user that just logged in, then anyone
can just change the ID and get other peoples information. 

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to