SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    .* draziW tnioPetiS *. bronze trophy
    Join Date
    Jun 2004
    Location
    "Then I figure the most good good guy will win."
    Posts
    1,666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Talking $_GET : Security? This should be easy...

    Hmm, I am want to protect my "Admin section" $_GET[] vars... I started with if statements (commented-out code in belwo script) and then I tried the switch... plus a combo of nesting the switch in an if statement... but so far no luck... if I am not logged on, the code goes straight to the default switch...

    Any suggestions?


    PHP Code:
    ///////////////////////////////////////// For admin section:
    if ($_SESSION['logged_in'] == "true") {
    switch(
    $_GET['action']) {
        case 
    'reset_don':
            
    reset_file($txt_file_don);
            break;
        case 
    'edit_don':
            
    admin_edit($txt_file_don);
            exit();
            break;
        case 
    'reset_met':
            
    reset_file($txt_file_met);
            break;
        case 
    'edit_met':
            
    admin_edit($txt_file_met); exit();
            break;
        case 
    'reset_log':
            
    reset_file($txt_file_rec);
            break;
        case 
    'edit_log':
            
    admin_edit($txt_file_rec); exit();
            break;
        case 
    'reset_grand_ttl':
            
    reset_file($txt_grand_total);
            break;
        case 
    'edit_grand_ttl':
            
    admin_edit($txt_grand_total); exit();
            break;
        case 
    'editnow':
            
    write_number($text_data$the_file);
            break;
        default: 
            die(
    warning("You are not logged in!")."\n"
            
    ."<p>"."Please <a class='md' href='".$_SERVER['PHP_SELF']."?mode1=login'>Login</a>."."</p>"."\n"); 
            break;
        
    //if ($_GET['action'] == "reset_don") { reset_file($txt_file_don); } // Reset don_file.txt file contents.
        //if ($_GET['action'] == "edit_don") { admin_edit($txt_file_don); exit(); } // Edit contents.
        //if ($_GET['action'] == "reset_met") { reset_file($txt_file_met); } // Reset total_met.txt file contents.
        //if ($_GET['action'] == "edit_met") { admin_edit($txt_file_met); exit(); } // Edit contents.
        //if ($_GET['action'] == "reset_log") { reset_file($txt_file_rec); } // Reset don_rec.txt file contents.
        //if ($_GET['action'] == "edit_log") { admin_edit($txt_file_rec); exit(); } // Edit contents.
        //if ($_GET['action'] == "reset_grand_ttl") { reset_file($txt_grand_total); } // Reset grand_total.txt file contents.
        //if ($_GET['action'] == "edit_grand_ttl") { admin_edit($txt_grand_total); exit(); } // Edit contents.
        //if ($_GET['action'] == "editnow") { write_number($text_data, $the_file); } // Call to function write_number: The write part of admin edit form.
    }

    Many thanks in advance!

  2. #2
    Dinah-Moe Humm mudshark's Avatar
    Join Date
    Dec 2003
    Posts
    1,072
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Maybe make your switch-default an else{} outside of the switch (and outside of the if, obviously)?

  3. #3
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    currently if you are not logged in you bypass your switch completely

    if($_SESSION['logged_in']=='true'){
    //if not logged in this is all ignored !
    }else{
    //so you should die() or redirect here
    }

    also is your $_SESSION['logged_in'] set to "true" OR true ? there is a big difference!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •