Lorenzo Marussi wrote:
hi List,I have written a library of php classes to manage database objects. So my application now access to this library instead of accessing directly to the database. Now, I need to add an access control to my classes, like a check to a $_SESSION variable. A solution can be add this lines in first rows in every method: " session_start();if(!isset($_SESSION['user'])) { return 999; } " ex: class sysAccess{ ..... function getName() { session_start();if(!isset($_SESSION['user'])) { return 999; } .. } } In this way, I am sure that only trusted users have an access to the methods. But, If I forget to "protect" a single method, there will be a serious vulnerability ..and this task will be long (and boring..) Is there a better solution to protect access to publics object's methodsonly to granted accounts?
I'm missing something here, how would a user (I assume a of website) manage to run methods on classes which are part of server side code?
Regardless of your answer to the above question, this all points to something being wrong in the architecture of the application - perhaps if you give more details (show us the interfaces, the code, or PHP doc the system to expose the API) we could help find where the problems are.
Best, Nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
