Lorenzo Marussi wrote:
hi List,
I have written a library of php classes to manage database objects.
So my application now access to this library instead of accessing
directly to the database.
Now, I need to add an access control to my classes, like a check to a
$_SESSION variable.
A solution can be add this lines in first rows in every method:
" session_start();if(!isset($_SESSION['user'])) { return 999; } "
ex:
class sysAccess{
.....
function getName()
{
session_start();if(!isset($_SESSION['user'])) { return
999; }
..
}
}
In this way, I am sure that only trusted users have an access to the
methods.
But, If I forget to "protect" a single method, there will be a serious
vulnerability ..and this task will be long (and boring..)
Is there a better solution to protect access to publics object's methods
only to granted accounts?
I'm missing something here, how would a user (I assume a of website)
manage to run methods on classes which are part of server side code?
Regardless of your answer to the above question, this all points to
something being wrong in the architecture of the application - perhaps
if you give more details (show us the interfaces, the code, or PHP doc
the system to expose the API) we could help find where the problems are.
Best,
Nathan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
