On Mon, Jun 16, 2008 at 1:01 PM, Nitsan Bin-Nun <nitsanbn@xxxxxxxxx> wrote: > I think you can handle this with 2 pages, the first is checking whether the > user is permitted to upload or not and if so passing him to the upload form > with a simple (bool) $_SESSION variable which indicates his permissions. > If you will try to access the second page and the $_SESS variable won't > exist it will throw you back to page 1 to validate your permissions. > > Am I missing something? (its pretty simple..) > > HTH Yes, it's missing something. There is nothing in this approach to prevent the remote client from attempting to access the second page directly. Even if they do not have the valid $_SESSION variable set, the server will still receive the entire uploaded content before passing control to the PHP script to validate permissions. In a DoS attack, the attacker doesn't care whether the request is actually allowed; only that resources were consumed in handling the request. It's still the "chicken and egg" problem already described in this thread. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
