Managing PHP scripts for multiple User Profiles...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
rlogin
Forum Newbie
Posts: 19
Joined: Fri Oct 18, 2002 2:39 am

Managing PHP scripts for multiple User Profiles...

Post by rlogin »

Hi,
Iam working on a PHP application and i have teh following question.
The post is long please bear with me.
I have multiple user profiles for the application like ordinary user, Administrator etc.
Now presently i have a seperate directory for each user profile and the same PHP scripts for each of the profile. The difference in the functionality for each profile is built into these scripts.
Example:
There are "/administrator/profile.php" as well as "/ordinaryuser/profile.php" with small changes in each of the profile.php scripts.

At the time of login, i check which profile the user belongs to and direct him to the appropriate directory till logout.
This enables me to take down and build further functionality into any of the user profiles i desire.
My question is as follows:
Till now in my testing i have not found any problem with functionality and profile management. But will i have any problem with this way of doing things?. Especialy when the application is in production?
Iam particularly concerned about having the same variable names in all the various profile scripts.

Will this lead PHP to confuse between variables of various profiles?
Any clarification, suggestion or information will be highly appreciated.
Rgds...
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Is this a problem with register globals...
Try reading this:-

viewtopic.php?t=511
User avatar
mydimension
Moderator
Posts: 531
Joined: Tue Apr 23, 2002 6:00 pm
Location: Lowell, MA USA
Contact:

Post by mydimension »

if the two different profile.php scripts don't interact with eachother then getting variables confused shouldn't be a problem.
rlogin
Forum Newbie
Posts: 19
Joined: Fri Oct 18, 2002 2:39 am

Post by rlogin »

Thnx & Rgds
User avatar
horgh
Forum Newbie
Posts: 23
Joined: Mon Oct 21, 2002 9:50 am
Location: GER
Contact:

Post by horgh »

what if the ordinary user gets to know about the administrator's directory ?! isn't it easy then to redirect his links to the admin's directory ?! ...might be a security problem...
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

well, seeing as how when you redirect a site, you are usually ( hoepfully ) redirecting to a php site that is actually going to want you to provide it with informatoin, before it will actually let you view/load the page.

In other words, let's say that we are redirecting bob ( after a successful login/password entry ) to admin.php.

If they actually have the sql database setup correctly, they will have bob assigned a security level to determine what type of user he is ( ie, if bob has a security level of 1 ( admin ), then load page, otherwise, show message "sorry, you do not fit this profile )).

I currently use this method, and made a post with included script that will show you how this works to the best advantage. I tried *hacking* or *rescripting* to gain access, but it's impossible to do , ulesss the user that is doing this knows your sql structure, your php code, and required information to enter site, in whcih case, you would already be in a world of trouble anyways, because at this point, we would assume they already have access to your directory where all this sensative informatoin is stored... ;)


edit: here is the link btw : viewtopic.php?t=3649&highlight=
rlogin
Forum Newbie
Posts: 19
Joined: Fri Oct 18, 2002 2:39 am

Post by rlogin »

Interesting point.
If the redirection to the profile directory is not done properly, then it is possible to move into a different profile directory from one.

Iam First validating the username and password.
Then redirect to a profile directory.
But in each directory i check if the user is comin gfrom the right directory or not...
If not, then dont permit him...
I have seen this working perfectly in my application.

Can some body share if there are any other ways of managing profiles?
How do i do it at the database level?
Rgds
User avatar
horgh
Forum Newbie
Posts: 23
Joined: Mon Oct 21, 2002 9:50 am
Location: GER
Contact:

Post by horgh »

you check that with the HTTP REFERER (dunno how its called exactly)Header Info ? i heard that it's easy to spoof header information... never use it for security reasons...
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

http://www.php.net/manual/en/reserved.variables.php
Server variables: $_SERVER
Note: Introduced in 4.1.0. In earlier versions, use $HTTP_SERVER_VARS.
...
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
(emphasis added)

I'm not getting tired of pointing to this article ;)
Prevent Hotlinking with Apache Server Rewrite Module
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

yeah, this is very true, then again, truthfully, what other way is there? Again, as I said before, redirection only happens when something is held true, in this case, if the username is directed to a administrative security level instead of a regular user level. Even if they do try and change the redirection header, the next page checks to make sure they are of the correct security clearance, and thus determines if they accessed this page incorrectly, or if they are legit.

Dunno, I do agree, however, that either way, it's still vulnerable. But the majority of hackers/crackers/script kiddies in the world out there, only about 1-3% of them are actually going to be able to use this flaw, in which case, that same 1-3% may not even need to use this means in order to take you down in the first place ;) heh, dunno though, simple fact is, nothing is truthfully secure. It's just according to if the attacker is familiar with the way you are securing things as to if he can access it or not 8)
Post Reply