PHP_SELF requires no processing (i.e. there is no need to do basename()) strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value=="not zero") { echo "oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise)"; if(strcmp($value, "not zero") == 0) { echo "You wont see this"; } else { echo "Because strcmp works correctly"; } } you can also use the exact comparator ===, as it compares types, it would work well as well. Infact if you dont need to determing anything about the string, i would suggest using the === operator as it is significantly faster: timed: 0m0.724s <?php for($i=0; $i<=10000000; $i++){ if(1 === "submit") { continue; } } timed: 0m4.785s <?php for($i=0; $i<=10000000; $i++){ if(strcmp(1, "submit")==0) { continue; } } -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 2:44 PM, Andre Polykanine <andre@xxxxxxxx> wrote: > Hello Alex, > > Two (stupid?) questions: > 1. Why PHP_SELF is better than SCRIPT_NAME? > 2. Why strcmp() is better than just comparing? > > -- > With best regards from Ukraine, > Andre > Skype: Francophile > My blog: http://oire.org/menelion (mostly in Russian) > Twitter: http://twitter.com/m_elensule > Facebook: http://facebook.com/menelion > > ------------ Original message ------------ > From: Alex Nikitin <niksoft@xxxxxxxxx> > To: PHP General > Date created: , 9:29:35 PM > Subject: A Review Request > > > > I will try to respond to the original question. > > Note: this is constructive criticism, so i wont do much in terms of > praising > the good parts > > It works, its very primitive, in some ways its pretty insecure, for example > it provides no session hijacking protection, it's not written with the > better of standards in mind, for one if you do store your password in code, > you shouldn't store your password in clear text, that way if say i was able > to bypass php execution and dumped that file out, i would still not have a > useable password, so use a hash. There is no timing out or attempt > management, for example i can write a 5 line-long brute script that will > just pound your script with user ids and passwords, you should make it at > least somewhat difficult for me to do that ;) > > Also don't declare a bunch of needless variables for their one-time use, > don't compare unsanitized strings with a binary unsafe operator, server > variables contain link to current script, here are examples of what i mean: > > -$self = basename($_SERVER['SCRIPT_NAME']); > +$self = $_SERVER['PHP_SELF']; > > > -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; > -if($submit == 'Submit') > > +if($_POST) > > > -$pw = 'pw'; // define your password here > -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; > -$password = isset($_POST['password']) ? $_POST['password'] : null; > -if (($user_id == $id) AND ($password== $pw)) > > +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the > password: php -r "echo sha1(\"pw\");" > +if (@strcmp($id, $_POST['user_id']) == 0 && strcmp($pw, > sha1($_POST['password'])) == 0) > > > > -- Alex -- > -- > The trouble with programmers is that you can never tell what a programmer > is > doing until it’s too late. ~Seymour Cray > > > > On Wed, May 18, 2011 at 3:22 PM, tedd <tedd@xxxxxxxxxxxx> wrote: > > > Hi gang: > > > > I am considering providing PHP code to the general public via my website > > > > This is my first attempt: > > > > http://sperling.com/php/authorization/ > > > > What do you people think? > > > > Cheers, > > > > tedd > > > > -- > > ------- > > http://sperling.com/ > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > >