Wrox Programmer Forums
Go Back   Wrox Programmer Forums > PHP/MySQL > PHP How-To
| Search | Today's Posts | Mark Forums Read
PHP How-To Post your "How do I do this with PHP?" questions here.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the PHP How-To section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old February 6th, 2004, 08:53 PM
Authorized User
 
Join Date: Oct 2003
Location: KL, wilayah persekutuan, Malaysia.
Posts: 91
Thanks: 0
Thanked 0 Times in 0 Posts
Default Security problem

          i have a login form, main menu, employee form, and sales form. the user that entered the correct username and password in the login from can go to the main menu and from there they can choose to go to employee form or sales form.
          However the user also can just type the address of the main menu, employee form or sales form escaping the login form. As such unauthorized user can also used the system.
          How can i prevent this from happenning?



 
Old February 6th, 2004, 09:34 PM
richard.york's Avatar
Wrox Author
Points: 5,506, Level: 31
Points: 5,506, Level: 31 Points: 5,506, Level: 31 Points: 5,506, Level: 31
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Camby, IN, USA.
Posts: 1,706
Thanks: 0
Thanked 6 Times in 6 Posts
Default

You need to implement a basic authentication scheme on those pages.

if (is_logged_in())
{
    // user is logged in
}
else
{
    // Not logged in, show an error message or redirect back to login page.
}

In the is_logged_in function, you may check SESSION variables containing authentication information, the easiest method, IMO, is to set a variable like $_SESSION['is_logged_in'] with a boolean value. This assumes that this session variable is always assigned a boolean value (best practice), and using a static function instead of just checking the variable allows for possible future expansions or innovations on that functionality, including the addition of access privileges, account activation, email confirmation, etc.

So...

function is_logged_in()
{
    return $_SESSION['is_logged_id'];
}

I am just assuming that you're using sessions here, that will work if you're using sessions..

I suppose I should be asking, what type of authetication are use using?

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::
 
Old February 6th, 2004, 11:39 PM
Friend of Wrox
Points: 2,570, Level: 21
Points: 2,570, Level: 21 Points: 2,570, Level: 21 Points: 2,570, Level: 21
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: San Diego, CA, USA
Posts: 836
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Also, read this related thread:
  http://p2p.wrox.com/topic.asp?TOPIC_ID=9344

There are LOTS of articles and demos of user authentication schemes online. Check hotscripts.com, phpbuilder, etc..


Take care,

Nik
http://www.bigaction.org/




Similar Threads
Thread Thread Starter Forum Replies Last Post
Security problem dparsons ASP.NET 1.0 and 1.1 Professional 0 January 28th, 2006 02:02 PM
Security problem doctorsom VS.NET 2002/2003 1 December 14th, 2005 03:38 PM
Java Security Problem Stephen Lam Wrox Book Feedback 1 April 12th, 2005 01:56 PM
security problem... supermarcus BOOK: ASP.NET Website Programming Problem-Design-Solution 2 September 7th, 2004 03:55 PM
Security Problem Annihilator VS.NET 2002/2003 0 November 26th, 2003 02:01 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.