Page 1 of 1
Managing PHP scripts for multiple User Profiles...
Posted: Fri Oct 18, 2002 2:39 am
by rlogin
Hi,
Iam working on a PHP application and i have teh following question.
The post is long please bear with me.
I have multiple user profiles for the application like ordinary user, Administrator etc.
Now presently i have a seperate directory for each user profile and the same PHP scripts for each of the profile. The difference in the functionality for each profile is built into these scripts.
Example:
There are "/administrator/profile.php" as well as "/ordinaryuser/profile.php" with small changes in each of the profile.php scripts.
At the time of login, i check which profile the user belongs to and direct him to the appropriate directory till logout.
This enables me to take down and build further functionality into any of the user profiles i desire.
My question is as follows:
Till now in my testing i have not found any problem with functionality and profile management. But will i have any problem with this way of doing things?. Especialy when the application is in production?
Iam particularly concerned about having the same variable names in all the various profile scripts.
Will this lead PHP to confuse between variables of various profiles?
Any clarification, suggestion or information will be highly appreciated.
Rgds...
Posted: Sat Oct 19, 2002 7:44 am
by Takuma
Is this a problem with register globals...
Try reading this:-
viewtopic.php?t=511
Posted: Sat Oct 19, 2002 9:15 am
by mydimension
if the two different profile.php scripts don't interact with eachother then getting variables confused shouldn't be a problem.
Posted: Mon Oct 21, 2002 1:21 am
by rlogin
Thnx & Rgds
Posted: Mon Oct 21, 2002 10:08 am
by horgh
what if the ordinary user gets to know about the administrator's directory ?! isn't it easy then to redirect his links to the admin's directory ?! ...might be a security problem...
Posted: Mon Oct 21, 2002 1:51 pm
by infolock
well, seeing as how when you redirect a site, you are usually ( hoepfully ) redirecting to a php site that is actually going to want you to provide it with informatoin, before it will actually let you view/load the page.
In other words, let's say that we are redirecting bob ( after a successful login/password entry ) to admin.php.
If they actually have the sql database setup correctly, they will have bob assigned a security level to determine what type of user he is ( ie, if bob has a security level of 1 ( admin ), then load page, otherwise, show message "sorry, you do not fit this profile )).
I currently use this method, and made a post with included script that will show you how this works to the best advantage. I tried *hacking* or *rescripting* to gain access, but it's impossible to do , ulesss the user that is doing this knows your sql structure, your php code, and required information to enter site, in whcih case, you would already be in a world of trouble anyways, because at this point, we would assume they already have access to your directory where all this sensative informatoin is stored...
edit: here is the link btw :
viewtopic.php?t=3649&highlight=
Posted: Tue Oct 22, 2002 11:25 pm
by rlogin
Interesting point.
If the redirection to the profile directory is not done properly, then it is possible to move into a different profile directory from one.
Iam First validating the username and password.
Then redirect to a profile directory.
But in each directory i check if the user is comin gfrom the right directory or not...
If not, then dont permit him...
I have seen this working perfectly in my application.
Can some body share if there are any other ways of managing profiles?
How do i do it at the database level?
Rgds
Posted: Wed Oct 23, 2002 12:47 am
by horgh
you check that with the HTTP REFERER (dunno how its called exactly)Header Info ? i heard that it's easy to spoof header information... never use it for security reasons...
Posted: Wed Oct 23, 2002 3:11 am
by volka
http://www.php.net/manual/en/reserved.variables.php
Server variables: $_SERVER
Note: Introduced in 4.1.0. In earlier versions, use $HTTP_SERVER_VARS.
...
'HTTP_REFERER'
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
(emphasis added)
I'm not getting tired of pointing to this article
Prevent Hotlinking with Apache Server Rewrite Module
Posted: Wed Oct 23, 2002 4:59 pm
by infolock
yeah, this is very true, then again, truthfully, what other way is there? Again, as I said before, redirection only happens when something is held true, in this case, if the username is directed to a administrative security level instead of a regular user level. Even if they do try and change the redirection header, the next page checks to make sure they are of the correct security clearance, and thus determines if they accessed this page incorrectly, or if they are legit.
Dunno, I do agree, however, that either way, it's still vulnerable. But the majority of hackers/crackers/script kiddies in the world out there, only about 1-3% of them are actually going to be able to use this flaw, in which case, that same 1-3% may not even need to use this means in order to take you down in the first place

heh, dunno though, simple fact is, nothing is truthfully secure. It's just according to if the attacker is familiar with the way you are securing things as to if he can access it or not
