Managing PHP scripts for multiple User Profiles...
Moderator: General Moderators
Managing PHP scripts for multiple User Profiles...
Hi,
Iam working on a PHP application and i have teh following question.
The post is long please bear with me.
I have multiple user profiles for the application like ordinary user, Administrator etc.
Now presently i have a seperate directory for each user profile and the same PHP scripts for each of the profile. The difference in the functionality for each profile is built into these scripts.
Example:
There are "/administrator/profile.php" as well as "/ordinaryuser/profile.php" with small changes in each of the profile.php scripts.
At the time of login, i check which profile the user belongs to and direct him to the appropriate directory till logout.
This enables me to take down and build further functionality into any of the user profiles i desire.
My question is as follows:
Till now in my testing i have not found any problem with functionality and profile management. But will i have any problem with this way of doing things?. Especialy when the application is in production?
Iam particularly concerned about having the same variable names in all the various profile scripts.
Will this lead PHP to confuse between variables of various profiles?
Any clarification, suggestion or information will be highly appreciated.
Rgds...
Iam working on a PHP application and i have teh following question.
The post is long please bear with me.
I have multiple user profiles for the application like ordinary user, Administrator etc.
Now presently i have a seperate directory for each user profile and the same PHP scripts for each of the profile. The difference in the functionality for each profile is built into these scripts.
Example:
There are "/administrator/profile.php" as well as "/ordinaryuser/profile.php" with small changes in each of the profile.php scripts.
At the time of login, i check which profile the user belongs to and direct him to the appropriate directory till logout.
This enables me to take down and build further functionality into any of the user profiles i desire.
My question is as follows:
Till now in my testing i have not found any problem with functionality and profile management. But will i have any problem with this way of doing things?. Especialy when the application is in production?
Iam particularly concerned about having the same variable names in all the various profile scripts.
Will this lead PHP to confuse between variables of various profiles?
Any clarification, suggestion or information will be highly appreciated.
Rgds...
- mydimension
- Moderator
- Posts: 531
- Joined: Tue Apr 23, 2002 6:00 pm
- Location: Lowell, MA USA
- Contact:
well, seeing as how when you redirect a site, you are usually ( hoepfully ) redirecting to a php site that is actually going to want you to provide it with informatoin, before it will actually let you view/load the page.
In other words, let's say that we are redirecting bob ( after a successful login/password entry ) to admin.php.
If they actually have the sql database setup correctly, they will have bob assigned a security level to determine what type of user he is ( ie, if bob has a security level of 1 ( admin ), then load page, otherwise, show message "sorry, you do not fit this profile )).
I currently use this method, and made a post with included script that will show you how this works to the best advantage. I tried *hacking* or *rescripting* to gain access, but it's impossible to do , ulesss the user that is doing this knows your sql structure, your php code, and required information to enter site, in whcih case, you would already be in a world of trouble anyways, because at this point, we would assume they already have access to your directory where all this sensative informatoin is stored...
edit: here is the link btw : viewtopic.php?t=3649&highlight=
In other words, let's say that we are redirecting bob ( after a successful login/password entry ) to admin.php.
If they actually have the sql database setup correctly, they will have bob assigned a security level to determine what type of user he is ( ie, if bob has a security level of 1 ( admin ), then load page, otherwise, show message "sorry, you do not fit this profile )).
I currently use this method, and made a post with included script that will show you how this works to the best advantage. I tried *hacking* or *rescripting* to gain access, but it's impossible to do , ulesss the user that is doing this knows your sql structure, your php code, and required information to enter site, in whcih case, you would already be in a world of trouble anyways, because at this point, we would assume they already have access to your directory where all this sensative informatoin is stored...
edit: here is the link btw : viewtopic.php?t=3649&highlight=
Interesting point.
If the redirection to the profile directory is not done properly, then it is possible to move into a different profile directory from one.
Iam First validating the username and password.
Then redirect to a profile directory.
But in each directory i check if the user is comin gfrom the right directory or not...
If not, then dont permit him...
I have seen this working perfectly in my application.
Can some body share if there are any other ways of managing profiles?
How do i do it at the database level?
Rgds
If the redirection to the profile directory is not done properly, then it is possible to move into a different profile directory from one.
Iam First validating the username and password.
Then redirect to a profile directory.
But in each directory i check if the user is comin gfrom the right directory or not...
If not, then dont permit him...
I have seen this working perfectly in my application.
Can some body share if there are any other ways of managing profiles?
How do i do it at the database level?
Rgds
http://www.php.net/manual/en/reserved.variables.php
I'm not getting tired of pointing to this article
Prevent Hotlinking with Apache Server Rewrite Module
(emphasis added)Server variables: $_SERVER
Note: Introduced in 4.1.0. In earlier versions, use $HTTP_SERVER_VARS.
...
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
I'm not getting tired of pointing to this article
Prevent Hotlinking with Apache Server Rewrite Module
yeah, this is very true, then again, truthfully, what other way is there? Again, as I said before, redirection only happens when something is held true, in this case, if the username is directed to a administrative security level instead of a regular user level. Even if they do try and change the redirection header, the next page checks to make sure they are of the correct security clearance, and thus determines if they accessed this page incorrectly, or if they are legit.
Dunno, I do agree, however, that either way, it's still vulnerable. But the majority of hackers/crackers/script kiddies in the world out there, only about 1-3% of them are actually going to be able to use this flaw, in which case, that same 1-3% may not even need to use this means in order to take you down in the first place
heh, dunno though, simple fact is, nothing is truthfully secure. It's just according to if the attacker is familiar with the way you are securing things as to if he can access it or not 
Dunno, I do agree, however, that either way, it's still vulnerable. But the majority of hackers/crackers/script kiddies in the world out there, only about 1-3% of them are actually going to be able to use this flaw, in which case, that same 1-3% may not even need to use this means in order to take you down in the first place