Re: [PHP] URL security...?

Ben . Edwards Thu, 13 Sep 2001 04:35:23 -0700


If the page they type on the URL is available it will be displayed.
Security is the remit of the web server not (realy) PHP.  However what i do
is have a is_logged_in function which uses session varable.  Something like

if ( is_logged_in() ) {
  ...
  do stuff
  ....
} esle {
  display_error( 'sod off, you ant logged in!');
}

Better still the is_logged_in in function could display the error message
and you would not need the else.

To extend this you could implenent user levels.  Punter could be 0,
Administrater 5 and Superuser 9.  You could then pass this torough to the
function.  So is_logged_in 5 would return true if user was at least of
level 5 (allowing levels 5,6,7,8,9 access).  For pages for punters wjo must
be logged in use is_logged_in().

Regards,
Ben





"Seb Frost" <[EMAIL PROTECTED]> on 13/09/2001 11:36:54



To:   <[EMAIL PROTECTED]>
cc:
Subject:  [PHP] URL security...?


ok I know if I have a URL like /images/$fileName then someone could be
malicious by using ".." to get to the root directory.

What I want to know is, if a URL absolutely starts with /images/ on my
website, is there someway that someone can modify the remainder of the path
such that it actually goes to a different website?  Do you see what I'm
saying?

cheers,

- seb frost

-----Original Message-----
From: GaM3R [mailto:[EMAIL PROTECTED]]
Sent: 13 September 2001 09:39
To: [EMAIL PROTECTED]
Subject: [PHP] help!!!


Cannot load /usr/local/apache_adserv/libexec/libphp4.so into server:
/usr/local/apache_adserv/libexec/libphp4.so: Undefined symbol "mpz_add_ui"

. . . configure line of

./configure '--with-apxs=/usr/local/apache_adserv/bin/apxs'
'--with-mysql=/usr/local' '--enable-versioning'
'--enable-inline-optimization' '--with-gd=/usr/local'
'--with-pgsql=/usr/local/pgsql' --enable-apc --with-gmp
--with-config-file-p
ath=/usr/local/apache_adserv/php.ini


Cameron
outworld.cx

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.277 / Virus Database: 146 - Release Date: 05/09/2001

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.277 / Virus Database: 146 - Release Date: 05/09/2001


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] URL security...?

Reply via email to