On Friday, March 1, 2002, at 06:11 PM, James Taylor wrote:
> IF a user is logged on, they can post, if not they don't even see the > option. > Instead of doing a SQL query everytime they look at the posts, I was > thinking > of registering a variable called like $true where if they're logged on, > it's > set, and if it's set they see the option to post. The only thing I'm > worried > about though is that someone could probably figure out to type in > something > like comments.php?true=1 and that would allow anonymous posting, which I > don't want. Is there anyway to set a variable that can't be set in a > query > string? Or, is there even a better way of doing something like this? Have you investigated the possibility of turning register_globals=off ? That's exactly why this recommendation was made. This keeps any GET variables passed in the querystring (like the way you describe true=1 being passed) from being interpreted as session variables. When register_globals=off, you have much more control and a much better sense of where your variables are coming from and which variables you are privileging to perform actions. This is because every variable (apart from variables that are created only for the purposes of the current script) is marked as being within the $_POST or $_GET or $_SESSION array, etc. Someone can send GET variables like comments.php?true=1 all they want, but your script doesn't globalize them -- and your script is also specifically programmed to only check the $_SESSION array for the presence of "true=1" (i.e. : if ($_SESSION['true'] == 1) etc). Thus any extraneous GET variables just bounce off your script, having no effect unless the script specifically looks for $_GET['true'] or something. Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
