php_novice2007 Posted August 15, 2007 Share Posted August 15, 2007 Hi, Say I've got a php page a.php, and in it I have the session start and validate that it is an authorized user etc.. and in a.php I have a form which posts to b.php. In b.php do I need to have the session things again? b.php will use the data from a.php to do processing, and I'm using all the isset($_POST[..]), if its not set it means that an unauthorized person tried to access b.php right? Thanks Quote Link to comment Share on other sites More sharing options...
tibberous Posted August 15, 2007 Share Posted August 15, 2007 They could set POST and visit b, the user can set POST to anything, so to answer your question, no. Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 15, 2007 Share Posted August 15, 2007 Use post for sending data but sessions for user authorization. Instead of checking post, check if a session exists. session_start(); if(isset($_SESSION['user'])){ echo "Welcome " . $_SESSION['user']; } else{ die("access denied"); } Quote Link to comment Share on other sites More sharing options...
Fadion Posted August 15, 2007 Share Posted August 15, 2007 Also to extend the idea about security, u could send the encrypted user's password and id to a session variable and in each page which needs authorization u can compare those values with the db ones. set the session $id = $row['id']; $pass = $row['pass']; $sess = $id . "." . $pass; $_SESSION['user'] = $sess; validate the session if(isset($_SESSION['user'])){ $sessVal = explode('.', $_SESSION['user']); $query = mysql_query("SELECT * FROM users WHERE id='{$sessVal[0]}' AND pass='{$sessVal[1]}'"); $nrRows = mysql_num_rows($query); if($nrRows == 1){ //code } else{ die('no access here'); } } Quote Link to comment Share on other sites More sharing options...
keeB Posted August 15, 2007 Share Posted August 15, 2007 That second approach adds a lot of overhead for limited/no added security. Upon successful login: <?php session_start(); $_SESSION['user'] = $registered; ?> Problem solved Quote Link to comment Share on other sites More sharing options...
NArc0t1c Posted August 15, 2007 Share Posted August 15, 2007 Someone could easily make a script to post to b.php. Why not just check the referrer? if ($_SERVER['HTTP_REFERER'] !== $_SERVER['HTTP_HOST']){ echo 'Please do not use proxies.'; } I would also suggest that you encrypt sessions, because they could upload a php script to view/edit sessions(I had that happen to me before), but that's if you want strict security(and also get stronger/anonymous passwords). Quote Link to comment Share on other sites More sharing options...
php_novice2007 Posted August 15, 2007 Author Share Posted August 15, 2007 Its just that I'm writing a site where there are 3 types of users: public, owner, and admin. And for each of them they can fill in a form which allows them to access the database to extract info, depending on the type of user, they may not have access to some of the tables. So essentially I've got 3 copies of the same code, and I was just wondering if I can just use 1 copy instead since things are being posted anyway.. Thats alright I'll just copy and past everything. Just makes maintainence a bit difficult lol.. Quote Link to comment Share on other sites More sharing options...
NArc0t1c Posted August 15, 2007 Share Posted August 15, 2007 Why not search all three tables for the user? I think a join would do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.