« previous next »
Pages: [1]

Author Topic: PHP Question  (Read 2754 times)

Canuck

  • Eh?!!
  • Founders
  • Posts: 792
  • Karma: +51/-3
  • Andy Moog Fan
    • My Website
PHP Question
« on: September 24, 2007, 07:10:48 PM »
Im working on a site where a user has to be logged in to access most of the site.

Code: [Select]
if(is_authed())
{
include("change_email_form.php");
}
else
{
include("login_form.php");
}


I have PHP code as above.  I check if the user is authorized to view the change_email_form, if so it will be displayed, if not, I prompt the user with the login_form.

My issue is this: since I include the form as above, if I know the URL, I can go directly to the form, and it is strictly an html form, no CSS, nothing. Can I set the permission on the form files so that if someone somehow guesses the URL to the form it wont be displayed? Other suggestions?

Thanks
Logged

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: PHP Question
« Reply #1 on: September 24, 2007, 07:54:32 PM »
on the page with the form itself you need to check if the user is allowed to see that page.

Code: [Select]
<?php
 ...
if(!is_authed()){
 exit("I don't know how you found this page, but you shouldn't be here.");
}
?>
...
rest of you html page

Logged
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

Canuck

  • Eh?!!
  • Founders
  • Posts: 792
  • Karma: +51/-3
  • Andy Moog Fan
    • My Website
Re: PHP Question
« Reply #2 on: September 24, 2007, 08:36:08 PM »
authed() checks if they are logged in. If they are logged in and get to the form, they would still only see the form, which I dont want.

Thanks
Logged

webwhy

  • Jackass IV
  • Posts: 608
  • Karma: +15/-10
Re: PHP Question
« Reply #3 on: September 24, 2007, 09:23:15 PM »
i usually run through some sort of front controller or "outershell" that handles all auth checks...the front controller pulls the side code in from outside the web root through includes and requires.  I usually add the include folder to the php include path...

but if your app is only a couple of pages, you could do auth check at the top of the file that contains the change email form...if this doesn't work in your situation, i can supply code that maybe explains the front controller concept

Code: [Select]
<?php
define('UNAUTH_PAGE''login_form.php');

function redirect($url) {
    header("Location: $url");
    exit;
}

if(is_authed() == false) {
    redirect(UNAUTH_PAGE);
}
?>
<h2>Change Email</h2>
etc
Logged

Mike

  • Jackass In Charge
  • Posts: 11257
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
Re: PHP Question
« Reply #4 on: September 24, 2007, 10:36:12 PM »
Personally I like SMF's method for handling this issue.

At the top of index.php (the only entry point)
Code: [Select]
define('SMF', 1);At the top of the Source pages (which should never be accessed directly)
Code: [Select]
if (!defined('SMF'))
die('Hacking attempt...');

Easy cheesy.
Logged

Canuck

  • Eh?!!
  • Founders
  • Posts: 792
  • Karma: +51/-3
  • Andy Moog Fan
    • My Website
Re: PHP Question
« Reply #5 on: September 25, 2007, 06:24:20 PM »
Thank you webwhy and Mike for the suggestions.

Mike's solution is quick and easy!
Logged
Pages: [1]
« previous next »