On Thu, 5 Jun 2003 02:10:32 +0800, Jason Wong wrote: >In case 1, a malicious person can bypass your password checks by passing >admin=1 in the URL.
Actually, I set up a very similar user security system by taking advantage of the $PHP_AUTH_USER variable. I would check to see if the variable was set and if so, the user was an "administrator" and could get to additional stuff. To get apache to set the variable and pass it to me, I added a "login.php" and a matching .htaccess mod to force login.php to require authentication. It worked like a champ! Unfortunately, it also worked to add "?PHP_AUTH_USER=1" to the calling script. A simple change to use $_SERVER['PHP_AUTH_USER'] GREATLY enhanced the security! Can it still be hacked? Probably. Is it more secure? Absolutely! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
