Correct! Problem is that I have been given explicit instructions to not
using cokkies is to pass at least one variable from page to page so the
scripts know who the user is. Getting them to the user index page with
links to the tools without knowing what the ID is was my main focus. I did
this using hidden input type variables so it's not included on the URL
when they get there. I could continue to do so if I were using all <form>
based links but the value could still be seen in the source for the page.
On Mon, 30 Sep 2002, John W. Holmes wrote:
> > Having recently switched from php 4.0.0 to 4.2.3 I quickly realized
> > change in variable handling. I still experience problems using the
> > and $_GET globals so I currently have my register globals ON so I can
> > the ability to pass variables from page to page without using the
> > and $_GET methods although I would really like to use them.
> > My current project has me creating a login interface for users to
> access a
> > form and file upload tools. I am using only 1 set of scripts for
> > everyone. Each user is assigned a path to their file area and these
> > records are kept in a MySQL database along with username, password and
> > contact info. As Each page is loaded the ID variable is checked and
> > data is then loaded for them for use on that page. If the ID variable
> > null they are given an error and redirected to the login page. This is
> > keep them from bookmarking the index page for the tools.
> > My question is this:
> > If I were to turn off register_globals and use the $_POST and $_GET
> > methods, what are the chances of a user getting someone else's
> > information using only one set of scripts for all. There could be up
> > 700 people using the script at any given time. Cookies are not an
> > as many users may have them turned off and sessions have never worked
> > me or at least I have never figured them out to work the way I think
> > should.
> Using _POST or _GET doesn't make your scripts any more secure. It is
> still all dependant on how you write them. If you assume that the ID
> coming from _POST or _GET is the user that just logged in, then anyone
> can just change the ID and get other peoples information.
> ---John Holmes...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php