Session basics: Independent sessions

[webmaster1]

Putting the security check code as the first thing a page would be kind of important for a script that was trying to show how to create and use an Access Control List. It's only three lines of php code (plus the {} brackets for the if() statement.) You can always move it to be above the form processing code on the pages.

 

Seems straight forward enough. As long as the author didn't have a specific reason for the positioning of the security check code it should just be a cut and paste job then.

 

input validation, escaping, error checking, and error reporting...

 

Fortunately, I'm relatively comfortable with these areas.

 

I like the concept of ACL because I can manage my entire site without having to reiterate the same login and security check pages/tables for different sections of the site. I'll definitely look into Zend once I have a little more free time.

[PFMaBiSmAd]

The only piratical (practical) reason the authors would have for intentionally putting the security check code after the form processing code would be so that the authors or any other hacker can alter the ACL database tables on your site by submitting the appropriate post/get data.

[webmaster1]

piratical (practical)

 

[webmaster1]

For anyone using the tutsplus ACL...

 

The pages requiring exit(); for header redirects:

 

[*]/acl/index.php

[*]/acl/admin/index.php

[*]/acl/admin/perms.php

[*]/acl/admin/roles.php

[*]/acl/admin/users.php

 

The pages requiring the repositioning of the security check:

 

[*]/acl/admin/perms.php

[*]/acl/admin/roles.php

[*]/acl/admin/users.php