Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6
This is the forum to discuss the Wrox book Beginning PHP, Apache, MySQLWeb Development by Michael K. Glass, Yann Le Scouarnec, Elizabeth Naramore, Gary Mailer, Jeremy Stolz, Jason Gerner; ISBN: 9780764557446
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old June 16th, 2004, 06:51 PM
Friend of Wrox
 
Join Date: Jun 2004
Location: Fairfield, Iowa, USA.
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
Default Chapter 12 Transact-Article.php

On this file you check for the $_Session['user_id'] just for the first case in the switch, shouldn't you check on every single case of the switch or check at the beggining and set a variable(flag).?


Christian

__________________
Christian
 
Old June 17th, 2004, 02:43 AM
Authorized User
 
Join Date: May 2004
Location: , , .
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Default

In truth, any of the conditions that require a user to be logged in should check for $_SESSION['user_id']. However, you must try to remember that the applications in the book leave a LOT of room for improvement, in the interest of only including that code required for you to learn the current lesson. Unfortunately, sometimes that means sacrificing some security.

However, also realize that we didn't give up on security altogether. We do show you in the first condition how to test for certain conditions. Plus, (for example), the Edit transaction shouldn't be triggered, because unless the user logged in, AND has permission to edit the article, s/he won't even see the Edit button. Hence, Edit won't be a condition unless the user is logged in.

If you want decent security, then there are really three different places you should use it. First, at the top of any page that requires registered access. If the user does not have the right credentials to view the page, then redirect them elsewhere immediately (usually the login page). Once they log in, you can bring them back to the page they were just on (using session variables, of course!).

Second, you might have certain items on a page that should only be visible by certain users. We use this knowledge to only show Admins the Admin menu item on the home page, for example.

Third, the resulting page you are directed to should have security, to ensure nobody got here by sneaking around when you weren't looking. In this case, your suggestion is quite valid -- you should do a user_id check before committing data to the database, to make sure that person has authority to do so.

As you can probably tell, that would be a LOT of code just for doing security checks. That would add a lot of bloat to the applications. In a future revision, we may introduce objects that will do authentication for you, and would be very modular. Then you could do your authentication checks any time, from any page.

Michael K. Glass
Author, Beginning PHP, Apache, MySQL Web Development
 
Old June 17th, 2004, 01:58 PM
Friend of Wrox
 
Join Date: Jun 2004
Location: Fairfield, Iowa, USA.
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
Default

It makes a lot of sense. Thanks for the explanation.

Christian





Similar Threads
Thread Thread Starter Forum Replies Last Post
begin php & mysql - chapter 12, user_form.php jon_stubber Beginning PHP 1 March 9th, 2006 10:57 AM
transact-user.php Matthias BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 1 December 18th, 2005 09:34 AM
Chapter 12 update_account.php file andrene BOOK: Beginning PHP5, Apache, and MySQL Web Development ISBN: 978-0-7645-7966-0 0 July 25th, 2005 07:00 PM
chapter 12 composing article cfemocha BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 1 October 7th, 2004 11:16 PM
Chapter 12 - useraccount.php buzzuh BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 3 September 3rd, 2004 02:53 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.