dk1983 Posted June 8, 2007 Share Posted June 8, 2007 Hi there, I'm currently developing a site that lists a number of articles using a PHP loop that pulls data from a MySQL database. In this loop (i.e for each article) I have an IF statement: if ($adminMode == true) echo 'Administrator only stuff'; Basically, the site will either operate in normal mode if the $adminMode variable is false, otherwise it will operate in admin mode with all the extra admin content therein (like an 'edit' or 'delete' link for example). Now, in order to set the $adminMode variable, I have a seperate file called admin.php which is protected by a .htaccess password. In the admin.php file, I have this: $adminMode = true; require_once 'main_page.php'; The $adminMode variable is never passed via a POST or GET and every administrator function checks the $adminMode variable is true before executing. My question is this: is this method safe? Thanks, Dave. Quote Link to comment Share on other sites More sharing options...
taith Posted June 8, 2007 Share Posted June 8, 2007 it depends... personally... i wouldnt... but that's just me... if you have registerglobals on... that'd be a BIG security hole... and easy to bypass that check... also if ($adminMode === true) echo 'Administrator only stuff'; change that to === boolian specific... also if you have registerglobals on or off... storing information in an array is 100X harder to hack ;-) say... $user[adminMode]=true; if($user[adminMode]===true) echo 'Administrator only stuff'; Quote Link to comment Share on other sites More sharing options...
dk1983 Posted June 8, 2007 Author Share Posted June 8, 2007 Thanks for your reply. Unfortunately, the server I'm working on is not mine, and I'm not sure if register globals is turned on or not. I guess I can write a script to check. I'll also change the variable to an array. I'm already validating all input so once I make the changes you suggested, there shouldn't be any more security holes I hope! Thanks, Dave. Quote Link to comment Share on other sites More sharing options...
dk1983 Posted June 8, 2007 Author Share Posted June 8, 2007 Hi again, I just checked, and REGISTER_GLOBALS is turned on. Ive done a bit of reading on the security issues surrounding this and I think I might have a solution. Instead of the $adminMode variable, could I instead create a class with an $adminMode variable and a getter / setter method. Then, all references to the variable would be via: IF (adminClassInstance->getAdminMode()) This way (I'm assuming), no one can spoof the adminMode variable (like create a new global one). Am I correct? Will this ever be safe with REGISTER_GLOBALS turned on? Thanks much, Dave. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 8, 2007 Share Posted June 8, 2007 Hi again, I just checked, and REGISTER_GLOBALS is turned on. Ive done a bit of reading on the security issues surrounding this and I think I might have a solution. Instead of the $adminMode variable, could I instead create a class with an $adminMode variable and a getter / setter method. Then, all references to the variable would be via: IF (adminClassInstance->getAdminMode()) This way (I'm assuming), no one can spoof the adminMode variable (like create a new global one). Am I correct? Will this ever be safe with REGISTER_GLOBALS turned on? Thanks much, Dave. You know, the best way to check admin's would be that way. Or a function call which will store the level in session. To defeat the register_globals exploits just make sure you always call your data by the means it originally was meant, IE: $_SESSION['adminlevel'] instead of just $adminlevel . What I would do, is in that class call the getAdminMode in the constructor and populate a property with the mode so than all you have to do is basically say: if $adminclass->adminMode > 3 etc... Makes it less hard on the SQL Server by calling a query anytime you want to check the admin level. Quote Link to comment Share on other sites More sharing options...
dk1983 Posted June 8, 2007 Author Share Posted June 8, 2007 Hi, Thanks for your input frost110. I've followed your advice and have made sure that each variable is named explicitly. I dont really understand what you mean by: if $adminclass->adminMode > 3 etc... Makes it less hard on the SQL Server by calling a query anytime you want to check the admin level. In my script, adminMode is a boolean value. Why did you test 'if greater than 3'? Also, the adminMode variable isnt stored in the db; it is assigned a value in a password protected admin.php file. Just want to make sure im not missing anything! Thanks, Dave. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 8, 2007 Share Posted June 8, 2007 It was pseudo code as I did not know that it was a true/false, just an example. Quote Link to comment Share on other sites More sharing options...
dk1983 Posted June 8, 2007 Author Share Posted June 8, 2007 Thanks very much for your help frost110. You too, taith! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.