On Wed, 2008-10-08 at 20:02 +0100, Stut wrote:
> On 8 Oct 2008, at 19:52, Bernhard Kohl wrote:
> > <?php
> > # I would recommend using the include method. Redirects should always
> > be second choice, because they are just evil.
>
> In this case I would disagree. On successful login it's normal to
> redirect to a useful page rather than just display a page that says
> "congratulations, you're a real user". In the case of an unsuccessful
> login why would you need to include another file? Surely the logic
> that follows is part of the login script.
>
> It's all a personal preference tho. I used to think that redirects
> should not be used unless absolutely necessary but the reasons people
> give are generally religious rather than logical.
>
> > # Example code below
> > $password = md5('swordfish');
> > $user = 'Trucker Joe';
> > if ($_POST['user'] == $user && md5($_POST['password']) == $password) {
> > include_once('login_successful.php');
> > } else {
> > include_once('login_failed.php');
> > }
> > # Some may also hash the user to prevent injection
> > # http://us.php.net/manual/en/function.include.php
> > # http://en.wikipedia.org/wiki/Code_injection#PHP_Injection
>
> I see nothing in that code that would be open to code injection.
>
> -Stut
>
> --
> http://stut.net/
>
I usually include verification on each page, so I'll redirect if they
are not logged in, but process them as normal throughout that script if
they are. I guess like all things PHP, there's 101 ways to do something,
and it's just down to preference and those little details...
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
