Curt, Your absolutely right it is a security hole, however the response was a quick solution without much thought in regards to the security integrity of the script.
> -----Original Message----- > From: Curt Zirzow [mailto:[EMAIL PROTECTED] > Sent: Tuesday, 26 August 2003 01:04 > To: [EMAIL PROTECTED] > Subject: Re: [PHP] How to open random Flash page with hyperlink? > > > * Thus wrote Cody Phanekham ([EMAIL PROTECTED]): > > Murugesan, > > > > main.php: > > <? > > session_name("mysessionname"); > > session_start(); > > if (!$s_authed) // check access > > { > > // user hasnt been authorised, therefore redirect to login page > > This is exactly why register globals is turned off by default now. > > This is a major security hole, I can simply put in the url: > http://host/main.php?s_authed=1 > > And I would be considered authenticated, throughout the site. > > Please turn register_globals off and use the $_SESSION variable to > access your session vars. > > > Curt > -- > "I used to think I was indecisive, but now I'm not so sure." > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > ************************************************************************************* This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. ************************************************************************************* -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
