Re: [PHP-DB] Date Translation in MySQL

On Tue, Aug 5, 2008 at 4:33 PM, Ben Miller [EMAIL PROTECTED]wrote: Figured there had to be an easier way. Thank you so much. -Original Message- From: Simcha Younger [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2008 2:48 PM To: php-db@lists.php.net Subject: RE: [PHP-DB] Date

[PHP-DB] $_SESSION issues - possible security hole?

I have built an application where users have to log in (the user data is stored in MySQL). I have 3 levels of rights for users; 1-normal rights, 2-admin rights, and 3-super user rights. When a user logs in, I set the $_SESSION['rights'] variable accordingly so I can reference it thru out the site.

Re: [PHP-DB] $_SESSION issues - possible security hole?

If it changes the value of $_SESSION['rights'], then how come if ($_SESSION['rights'] != super) on line 14 doesn't exit()? Or does that happen when you hit refresh the second time? Or does the user it changes to also have 'super' rights? Why use extract()? Try commenting it out... apart from it

Re: [PHP-DB] $_SESSION issues - possible security hole?

Why use extract()? Try commenting it out... apart from it being If you use 'register globals' there's a good chance that a variable $rights exists because it's a key in your $_SESSION array (don't shoot me if I'm wrong, I've never worked with 'register globals'). By using extract() without the

Re: [PHP-DB] $_SESSION issues - possible security hole?

Thanks for your thoughts. To answer your first question, I'm using extract() because this is a page where admins and super users can edit the permissions of others for the site. Therefore, I have to query the database to create a listing of all users, and then have the admin/super user select one

Re: [PHP-DB] $_SESSION issues - possible security hole?

On Sun, Aug 10, 2008 at 4:23 PM, Darron Butler [EMAIL PROTECTED] wrote: Thanks for your thoughts. To answer your first question, I'm using extract() because this is a page where admins and super users can edit the permissions of others for the site. Therefore, I have to query the database to

Re: [PHP-DB] $_SESSION issues - possible security hole?

There's your answer. With register_globals on $_SESSION['rights'] becomes $rights and when you do extract($row) you are overwritting the $_SESSION variable. A safer way of using your code would be: while ($row = mysql_fetch_array($result1, MYSQL_ASSOC)) { ? option

Re: [PHP-DB] $_SESSION issues - possible security hole?

Thanks! In fact I just updated my code to your exact example below and it works! Its a good thing you all fixed this for me...I have very few hairs left! Thanks again everyone...drb On Sun, Aug 10, 2008 at 4:53 PM, Micah Gersten [EMAIL PROTECTED] wrote: There's your answer. With