Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6
This is the forum to discuss the Wrox book Beginning PHP, Apache, MySQLWeb Development by Michael K. Glass, Yann Le Scouarnec, Elizabeth Naramore, Gary Mailer, Jeremy Stolz, Jason Gerner; ISBN: 9780764557446
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old June 16th, 2004, 06:51 PM
Friend of Wrox
 
Join Date: Jun 2004
Location: Fairfield, Iowa, USA.
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
Default Chapter 12 Transact-Article.php

On this file you check for the $_Session['user_id'] just for the first case in the switch, shouldn't you check on every single case of the switch or check at the beggining and set a variable(flag).?


Christian

__________________
Christian
Reply With Quote
  #2 (permalink)  
Old June 17th, 2004, 02:43 AM
Authorized User
 
Join Date: May 2004
Location: , , .
Posts: 41
Thanks: 0
Thanked 0 Times in 0 Posts
Default

In truth, any of the conditions that require a user to be logged in should check for $_SESSION['user_id']. However, you must try to remember that the applications in the book leave a LOT of room for improvement, in the interest of only including that code required for you to learn the current lesson. Unfortunately, sometimes that means sacrificing some security.

However, also realize that we didn't give up on security altogether. We do show you in the first condition how to test for certain conditions. Plus, (for example), the Edit transaction shouldn't be triggered, because unless the user logged in, AND has permission to edit the article, s/he won't even see the Edit button. Hence, Edit won't be a condition unless the user is logged in.

If you want decent security, then there are really three different places you should use it. First, at the top of any page that requires registered access. If the user does not have the right credentials to view the page, then redirect them elsewhere immediately (usually the login page). Once they log in, you can bring them back to the page they were just on (using session variables, of course!).

Second, you might have certain items on a page that should only be visible by certain users. We use this knowledge to only show Admins the Admin menu item on the home page, for example.

Third, the resulting page you are directed to should have security, to ensure nobody got here by sneaking around when you weren't looking. In this case, your suggestion is quite valid -- you should do a user_id check before committing data to the database, to make sure that person has authority to do so.

As you can probably tell, that would be a LOT of code just for doing security checks. That would add a lot of bloat to the applications. In a future revision, we may introduce objects that will do authentication for you, and would be very modular. Then you could do your authentication checks any time, from any page.

Michael K. Glass
Author, Beginning PHP, Apache, MySQL Web Development
Reply With Quote
  #3 (permalink)  
Old June 17th, 2004, 01:58 PM
Friend of Wrox
 
Join Date: Jun 2004
Location: Fairfield, Iowa, USA.
Posts: 101
Thanks: 0
Thanked 0 Times in 0 Posts
Default

It makes a lot of sense. Thanks for the explanation.

Christian

Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
begin php & mysql - chapter 12, user_form.php jon_stubber Beginning PHP 1 March 9th, 2006 10:57 AM
transact-user.php Matthias BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 1 December 18th, 2005 09:34 AM
Chapter 12 update_account.php file andrene BOOK: Beginning PHP5, Apache, and MySQL Web Development ISBN: 978-0-7645-7966-0 0 July 25th, 2005 07:00 PM
chapter 12 composing article cfemocha BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 1 October 7th, 2004 11:16 PM
Chapter 12 - useraccount.php buzzuh BOOK: Beginning PHP, Apache, MySQL Web Development ISBN: 978-0-7645-5744-6 3 September 3rd, 2004 02:53 PM



All times are GMT -4. The time now is 01:04 PM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.