html - It it safe to do this in php? -


i new php, , want know if safe this...
have login system protect few pages.

  1. is possible hacker change value of $logged_in?
  2. is safe?
  3. if isn't. best way it?

files:
- not_logged_in.php
- test.php
- login.php
- logout.php
- protected_page_1
- protected_page_2
- unprotected_page_1

code:

not_logged_in.php:

<html>     not logged in! </html>


test.php:

<?php  $logged_in = false;  function protect_page() {     if($logged_in == false) {         header('location: index.php');         exit();     } }   ?>


login.php:

<?php  include "test.php"; $logged_in = true;  ?>


logout.php:

<?php  include "test.php"; $logged_in = false;  ?>


protected_page_1.php:

<?php  include "test.php"; protect_page();   ?>   <html>      content  </html>


protected_page_2:

<?php  include "test.php"; protect_page();   ?>   <html>      content  </html>


unprotected_page_1:

<html>      content  </html>

i understand login.php page logs in , don't have give in password, testing currently...

thanks reading!

i think way of using $logged_in variable loose.

i suggest make use of sessions.

session.php:

<?php session_start();  // start on top of page before output  if(!isset($_session['loggedin'])) {   $_session['loggedin'] = false; }  function loggedin() {    return $_session['loggedin']; }  ?>

and in page protected content.

<?php     include 'session.php';      if(!logged_in()) {        include 'login.php';        exit();     }     // info ?>

login.php have form log in. (and $_session['loggedin'] = true; every page include session.php.


Comments

Post a Comment

Popular posts from this blog

PHP and MySQL WP -

i trying accomplish 2 things here code. writing php directly wp page using insert php plugin. 1) query mysql database , return results 1 column 4 columns. 2) make each result own hyperlink directs user new wp page runs new query on page. i able query show results , turn results dynamic hyperlink, cannot formatting down. right returns result 1 column. here have: [insert_php] $servername = "localhost"; $username = "login"; //edited privacy $password = "password"; //edited privacy $database = "database"; //edited privacy // create connection $conn = new mysqli($servername, $username, $password, $database); // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } echo "connected successfully"; //get results database $result = mysqli_query($conn,"select mine mines order mine"); $all_property = array(); //declare array saving property //showing proper...
Read more

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m...
Read more

go - golang pprof for c library code -

i have been trying profile golang application pprof, seems details of c code(linked static library) missed in output result. flame graph from frame graph can see c code time consuming reported within "runtime._externalcode", no details @ all. , sure static library compiled debug enable. so there way make pprof details(like stack trace) of 3rd party c code? or there other golang profiling tool this?
Read more