hi, securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password
would not register 'username' and 'pwd' to the $_SESSION array but to the $_GET and $_REQUEST-Array like: $_GET['_SESSION']['username'] => 'admin' There is no way to inject any kind of data to the super-global Arrays at all Hope this helps, red Am Dienstag, 23. März 2004 14:45 schrieb Andy B: > hi > > in an attempt to create a login system for site administrators on a website > i come into the following problem that bothers me because i cant find any > way to fix it. > > problem: > most login scripts/systems i look at for examples on how to make a login > section from sessions (allow the administrator to go between login required > pages and also be able to go to public pages) without having to login again > (the only way an administrator has to "login again" is if they close the > browser on that site)... > > i run into the deal where most login scripts check to see if > $_SESSION[username] or a $_SESSION var has been set or is valid. i noticed > this could be a very bad thing because there is nothing stopping an outside > link from doing something like: <a > href="securepage.php?_SESSION[username]=admin&_SESSION[pwd]=password">go to > secure page</a> and being valid (that is if they manage to hack the > user/pwd)... > > any ideas how to create such a system? > > any ways around that?? i need a system that will not do that -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php