|
|
Posted by Gordon Burditt on 10/11/06 21:03
>I am allowing a user to access a page if they know the password and enter it
>on a form, I process that form with another php page, if its the wrong
>password i do not display sensitive information.
Every page should contain some kind of access check. This might be as
simple as
if ($_SESSION['logged_in_ok'] == 1) { ...
assuming you're using PHP sessions.
If the access check fails, don't output the sensitive content.
It could also be done with a common include file included by each page
near the beginning containing such code.
>However if the user looks in source coude and sees the name of the
>processing page he can simply type in that name and get to the page anyway.
A user shouldn't be able to look at *PHP* source code, as it's not sent
to the browser, but if the URL can be seen in the *HTML* code output,
he can. So the URL to the processing page should be useless to him
(he'll fail the access check).
>Okay - he can not see so much, just a lot of empty fields as I only load
>data if pwd check is okay, but its untidy and I want to refuse the user the
>page completely if he has not arrived at it in the way intended.
If a user has not properly logged in, redirect him to the login page
without generating any sensitive content.
Navigation:
[Reply to this message]
|