On Thu, June 23, 2005 12:33 am, symbulos said: > Richard Lynch wrote: >> You simply have to convince the other site that your PHP script actually >> *IS* the user logging in, which is seldom very tricky, and is always >> *POSSIBLE* with enough effort. > > How can be that done? Do you know of any tutorial, example? Just the examples in http://php.net/curl and following pages. It's a LOT easier than you think when you sit down to do it. You send the same crap to their web-server that a browser sends. They send back the same HTTP/HTML crap your browser gets. You use PHP to find the bits and pieces relevant to getting to the next URL, and you start over with sending the same crap your browser sends. Repeat all that as necessary, and you reach your goal. I posted a lot more detail already a few minutes ago, but wanted to stress that despite the finicky details, it's just not that tricky. I think EVERY web developer should do this, at least once, just to realize just how *NOT* tricky it is to "fool" a login if a determined Bad Guy wants to. It will make you appreciate so much more what Security really is, and why a simplistic login isn't really much of a barrier -- And you have a better understanding of what goes on during a login process that *is* "good". If anybody teaches a PHP course of any length, this should be a required assignment: Using a known valid login for a site that requires username/password, write a PHP script that gets "through" that login to "protected" content. Let the students pick the site, and share their results. They'll all learn a whole lot more that way from each other's experience. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
