$_GET : Security? This should be easy...

[mhulse]

Hmm, I am want to protect my "Admin section" $_GET[] vars... I started with if statements (commented-out code in belwo script) and then I tried the switch... plus a combo of nesting the switch in an if statement... but so far no luck... if I am not logged on, the code goes straight to the default switch...

Any suggestions?

PHP Code:

///////////////////////////////////////// For admin section:
if ($_SESSION['logged_in'] == "true") {
switch($_GET['action']) {
    case 'reset_don':
        reset_file($txt_file_don);
        break;
    case 'edit_don':
        admin_edit($txt_file_don);
        exit();
        break;
    case 'reset_met':
        reset_file($txt_file_met);
        break;
    case 'edit_met':
        admin_edit($txt_file_met); exit();
        break;
    case 'reset_log':
        reset_file($txt_file_rec);
        break;
    case 'edit_log':
        admin_edit($txt_file_rec); exit();
        break;
    case 'reset_grand_ttl':
        reset_file($txt_grand_total);
        break;
    case 'edit_grand_ttl':
        admin_edit($txt_grand_total); exit();
        break;
    case 'editnow':
        write_number($text_data, $the_file);
        break;
    default: 
        die(warning("You are not logged in!")."\n"
        ."<p>"."Please <a class='md' href='".$_SERVER['PHP_SELF']."?mode1=login'>Login</a>."."</p>"."\n"); 
        break;
    //if ($_GET['action'] == "reset_don") { reset_file($txt_file_don); } // Reset don_file.txt file contents.
    //if ($_GET['action'] == "edit_don") { admin_edit($txt_file_don); exit(); } // Edit contents.
    //if ($_GET['action'] == "reset_met") { reset_file($txt_file_met); } // Reset total_met.txt file contents.
    //if ($_GET['action'] == "edit_met") { admin_edit($txt_file_met); exit(); } // Edit contents.
    //if ($_GET['action'] == "reset_log") { reset_file($txt_file_rec); } // Reset don_rec.txt file contents.
    //if ($_GET['action'] == "edit_log") { admin_edit($txt_file_rec); exit(); } // Edit contents.
    //if ($_GET['action'] == "reset_grand_ttl") { reset_file($txt_grand_total); } // Reset grand_total.txt file contents.
    //if ($_GET['action'] == "edit_grand_ttl") { admin_edit($txt_grand_total); exit(); } // Edit contents.
    //if ($_GET['action'] == "editnow") { write_number($text_data, $the_file); } // Call to function write_number: The write part of admin edit form.
}
} 


Many thanks in advance!

[mudshark]

Maybe make your switch-default an else{} outside of the switch (and outside of the if, obviously)?

[firepages]

currently if you are not logged in you bypass your switch completely

if($_SESSION['logged_in']=='true'){
//if not logged in this is all ignored !
}else{
//so you should die() or redirect here
}

also is your $_SESSION['logged_in'] set to "true" OR true ? there is a big difference!