register_globals and query string question
Posted: Mon Apr 24, 2006 12:16 pm
If I were to use the following code to keep out unauthenticated users (users must provide login/pass at another page):
and register_globals is left on, shouldn't an unlogged in (ab)user be able to get access the content of page by passing "?log=1" (or something thereabouts) in a query string?
Thanks for the help!
Code: Select all
<?php
session_start();
// check session variable
if (isset($_SESSION['log'])) {
//content of page
//stuff for logged in user
}
else {
echo "you must log in to see this page";
}
?>and register_globals is left on, shouldn't an unlogged in (ab)user be able to get access the content of page by passing "?log=1" (or something thereabouts) in a query string?
Thanks for the help!