Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 132,666 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,148 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

PHP security with arrays

Reply to this topic

Start new topic

PHP security with arrays

duffsstuff	21 Jul, 2007 - 09:26 PM Post #1
D.I.C Head Joined: 10 Sep, 2006 Posts: 67 My Contributions	I need help getting this code right. I am not sure if I am using the array properly in the if statement. This code is to make sure the user is doing an appropriate action and not screwing with other files. A basic security measure but effective to noob hackers. CODE // security: what are the possible actions ( p_actions ) $p_actions = array ( 'login' , 'logout' , 'create_account' , 'profile' , 'edit_profile' , 'members' ); // security: make sure the user is only requesting possible actions if ( $_GET['name'] != $p_actions ) { die('Your request could not be completed'); } else // if they are let them see the page { require "members/$_GET['name'].php" or die ('Your request could not be completed'); } If you need any more information don't hesitate to ask.
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

no2pencil	21 Jul, 2007 - 09:35 PM Post #2
My fridge be runnin OH NOEZ! Joined: 10 May, 2007 Posts: 6,354 Thanked 58 times Dream Kudos: 2375 Expert In: Goofing Off My Contributions	The code that you have would compare what they have vs the entire array. I would think that you would need to loop it. CODE // security: what are the possible actions ( p_actions ) $p_actions = array ( 'login' , 'logout' , 'create_account' , 'profile' , 'edit_profile' , 'members' ); $match=0; // security: make sure the user is only requesting possible actions for($i=0;$i<=5;$i++) { if ( $_GET['name'] == $p_actions[$i] ) $match=1; } if( $match!=1 ) { die('Your request could not be completed'); } else // if they are let them see the page { require "members/$_GET['name'].php" or die ('Your request could not be completed'); }
	This Post Was Helpful! ^New!

duffsstuff	21 Jul, 2007 - 09:39 PM Post #3
D.I.C Head Joined: 10 Sep, 2006 Posts: 67 My Contributions	That is what I was considering but it uses more code then I want to. If anyone knows any other ways to do the same thing but in less lines, let me know. Just to let you know: cramming it all into one line doesn't help
	This Post Was Helpful! ^New!

serializer	24 Jul, 2007 - 08:07 AM Post #4
D.I.C Head Joined: 25 Jun, 2007 Posts: 108 My Contributions	There are a plethora of array functions which you can read about on the php.net site: http://www.php.net/array In most scenarios one of these functions will do the job. I think here you want to use array_search: CODE if ( array_search($_GET['name'], $p_actions )===false) { die('Security breach'); } else { ... } Note the use of the === operator (absolute equals). The reason for this, is array_search returns the key of the matching array element, or false if it's not found. So if $_GET['name'] == 'login', then array_search will return 0. This is why we have to test for === false, because if the result is 0 then it is not a security breach, but the ordinary == operator sees 0 and false as the same thing, whereas === makes the correct distinction. Sorry, my explanation got a little long-winded then, did that all make sense? --serializer
	This Post Was Helpful! ^New!

Styx	24 Jul, 2007 - 09:34 AM Post #5
D.I.C Head Joined: 4 Mar, 2007 Posts: 192 Dream Kudos: 225 My Contributions	Use in_array: if (in_array($_GET['name'], $p_actions))
	This Post Was Helpful! ^New!

duffsstuff	25 Jul, 2007 - 06:01 AM Post #6
D.I.C Head Joined: 10 Sep, 2006 Posts: 67 My Contributions	Thanks. It all made sense
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/23/08 05:52AM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month