 |
BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6  | This is the forum to discuss the Wrox book Beginning PHP, Apache, MySQLWeb Development by Michael K. Glass, Yann Le Scouarnec, Elizabeth Naramore, Gary Mailer, Jeremy Stolz, Jason Gerner; ISBN: 9780764557446 |
|
Welcome to the p2p.wrox.com Forums.
You are currently viewing the BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|

June 16th, 2004, 06:51 PM
|
Friend of Wrox
|
|
Join Date: Jun 2004
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Chapter 12 Transact-Article.php
On this file you check for the $_Session['user_id'] just for the first case in the switch, shouldn't you check on every single case of the switch or check at the beggining and set a variable(flag).?
Christian
__________________
Christian
|

June 17th, 2004, 02:43 AM
|
Authorized User
|
|
Join Date: May 2004
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
In truth, any of the conditions that require a user to be logged in should check for $_SESSION['user_id']. However, you must try to remember that the applications in the book leave a LOT of room for improvement, in the interest of only including that code required for you to learn the current lesson. Unfortunately, sometimes that means sacrificing some security.
However, also realize that we didn't give up on security altogether. We do show you in the first condition how to test for certain conditions. Plus, (for example), the Edit transaction shouldn't be triggered, because unless the user logged in, AND has permission to edit the article, s/he won't even see the Edit button. Hence, Edit won't be a condition unless the user is logged in.
If you want decent security, then there are really three different places you should use it. First, at the top of any page that requires registered access. If the user does not have the right credentials to view the page, then redirect them elsewhere immediately (usually the login page). Once they log in, you can bring them back to the page they were just on (using session variables, of course!).
Second, you might have certain items on a page that should only be visible by certain users. We use this knowledge to only show Admins the Admin menu item on the home page, for example.
Third, the resulting page you are directed to should have security, to ensure nobody got here by sneaking around when you weren't looking. In this case, your suggestion is quite valid -- you should do a user_id check before committing data to the database, to make sure that person has authority to do so.
As you can probably tell, that would be a LOT of code just for doing security checks. That would add a lot of bloat to the applications. In a future revision, we may introduce objects that will do authentication for you, and would be very modular. Then you could do your authentication checks any time, from any page.
Michael K. Glass
Author, Beginning PHP, Apache, MySQL Web Development
|

June 17th, 2004, 01:58 PM
|
Friend of Wrox
|
|
Join Date: Jun 2004
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
It makes a lot of sense. Thanks for the explanation.
Christian
|
Similar Threads
|
Thread |
Thread Starter |
Forum |
Replies |
Last Post |
begin php & mysql - chapter 12, user_form.php |
jon_stubber |
Beginning PHP |
1 |
March 9th, 2006 10:57 AM |
transact-user.php |
Matthias |
BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 |
1 |
December 18th, 2005 09:34 AM |
Chapter 12 update_account.php file |
andrene |
BOOK: Beginning PHP5, Apache, and MySQL Web Development ISBN: 978-0-7645-7966-0 |
0 |
July 25th, 2005 07:00 PM |
chapter 12 composing article |
cfemocha |
BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 |
1 |
October 7th, 2004 11:16 PM |
Chapter 12 - useraccount.php |
buzzuh |
BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 |
3 |
September 3rd, 2004 02:53 PM |
|
 |