On May 30, 2013 8:10 AM, "Jim Giner" <jim.giner@xxxxxxxxxxxxxxxxxx> wrote: > > On 5/29/2013 9:38 PM, tamouse mailing lists wrote: > >> >> Okay, first off, your application *has* to have some entry point that >> *is* accessible to a browser; otherwise nothing will find it. >> > > Once again - I was wrong in my suggestion as Ashley has pointed out so correctly. Had to test it out this morning only to discover that I had never done quite that kind of Header redirect before. > > So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. On the other hand, if you must have the target script in your web-accessible tree, simply establish some kind of security handler and add logic to your page(s) to check permissions before displaying anything. This handler could be based upon session vars, cookies, db entries (my pref). Once established it can be a universal addition to any and all of your appls. > > My personal method is to create a db table containing an appl name, page name, and a non-unique security level (I use an integer). Then have an admin screen for creating userids for an appl with multiple recs each containing a security level for that user for that appl. Then have a signon method that validates credentials and builds a session array containing all the user's security levels. In every page that I want secured, I call a function with that script's internal pagename and appl name and confirm that the page's sec level is contained in the user's session array. I also have a master level (99) that if present gives global access for myself as administrator. There's a bit more to it, but that's my security method. > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
