Re: objects and $_SESSION access control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lorenzo Marussi wrote:
hi List,

I have written a library of php classes to manage database objects.
So my application now access to this library instead of accessing
directly to the database.

Now, I need to add an access control to my classes, like a check to a
$_SESSION variable.

A solution can be add this lines in first rows in every method:
" session_start();if(!isset($_SESSION['user'])) { return 999; } "

ex:
class sysAccess{
    .....
        function getName()
        {
            session_start();if(!isset($_SESSION['user'])) { return
999; }
            ..
        }
}


In this way, I am sure that only trusted users have an access to the
methods.
But,  If I forget to "protect" a single method, there will be a serious
vulnerability ..and this task will be long (and boring..)

Is there a better solution to protect access to publics object's methods
only to granted accounts?

I'm missing something here, how would a user (I assume a of website) manage to run methods on classes which are part of server side code?

Regardless of your answer to the above question, this all points to something being wrong in the architecture of the application - perhaps if you give more details (show us the interfaces, the code, or PHP doc the system to expose the API) we could help find where the problems are.

Best,

Nathan

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux