|
Posted by Richard Lynch on 03/29/05 21:20
On Tue, March 29, 2005 2:52 am, Colin Ross said:
> a couple points on your code...
>
> if something makes it to the session scope, $_SESSION[], it should be
> valid/verified, so why copy them all to a global var? i.e.
> $name = $_SESSION['name'];
I don't want to litter my later code with $_SESSION['name'], basically.
[shrug]
I'm still used to the old register_globals being "ON" so I basically
import the variables I want to use from there they should come from, and
add scrubbing after the logic is right.
I'll be wiping the database and starting fresh from my SQL script after
that, so an SQL injection over the next couple days won't do much.
> why not just type true instead of a var that gets looked up everytime.
> $valid = true;
> secondly... any auth scheme using something like if
> ($_SESSION['valid_user']) is not very strong, and prolly has a big
> hole somewhere... ie.
>
> // $_REQUEST, i.e anything a user can type in the url....
> $username = $_REQUEST['username'];
> $password = $_REQUEST['password'];
> $query = "select client_id, password = password('$password'),
> name, access from client where username = '$username'";
> // this is beggin for a sql injection attack here (although you may
> have magic quotes on, which i don't suggest... do you own escaping...)
Magic quotes is on.
I'll add more scrubbing later.
> // check your SQL syntax, i'd be suprised if that runs like that... should
> be:
> $query = "SELECT client_id, password, name, access FROM `client` WHERE
> `username` = '$username' AND `password` = password($password)";
The SQL is correct, and works just fine.
> <STYLE><?php require 'global.css'?></STYLE>
> -- just use an external style sheet with either an @import or <LINK>
No, thank you.
I don't trust browsers to cache or not cache style sheets correctly, nor
do I feel the need for the extra HTTP connection to get the style sheet.
> <?=date('Y')?>
> -- avoid short open tags, and use a semicolon after every statement
> i.e.
> <?php echo date('Y' ); ?>
Again, I don't care about short open tags not being ON on your server.
They're on for mine, and always will be, and this code is not intended to
ever be ported anywhere.
The semi-colon is optional -- That is a documented feature.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|