On Sun, Aug 10, 2008 at 4:23 PM, Darron Butler <dbutler518@xxxxxxxxx> wrote: > Thanks for your thoughts. To answer your first question, I'm using > extract() > because this is a page where admins and super users can edit the > permissions > of others for the site. Therefore, I have to query the database to create a > listing of all users, and then have the admin/super user select one to > modify (I was planning to serve the 'rights' informatin from the selected > user via POST to another page where changes could be made). sometimes the > user and rights that I get "assigned" when I hit refresh are another user > with super rights and sometimes one with less than super rights and then I > get sent to the 'die' landing page. I'm a real newbie at PHP/MySQL, so if > there is a better/easier/more efficient way of creating the select list, > I'm > just not aware of how to do it. I just tried removing the extract statement > and the select list is now empty... > > I'm using a free PHP/MySQL host online so I don't have access to make > register_global changes, but I did find in the documentation that they have > it set to "on". On a similar note, the variable $_SESSION['rights'] does > certainly exist, it exists for the admin/super user logged in and accessing > the administration page. > > What's interesting about this whole thing is that I have changed the query > to include non session variables I have set and everything works fine. For > instance (to clarify) since I set $_SESSION['user'] and $_SESSION['rights'] > when the user logs in, if my query to create the selection list is based on > any other table columns (for instance, fname and lname and NOT user or > rights) then the "weird" behavior does not show up. Having gone thru > that...somehow, someway, the query of all user info seems to change the > session variables. I appreciate your brain power thinking thru this! Any > new > thoughts? drb > On Sun, Aug 10, 2008 at 2:33 PM, Evert Lammerts <evert.lammerts@xxxxxxxxx > >wrote: > > > > Why use extract()? Try commenting it out... apart from it being > > > > If you use 'register globals' there's a good chance that a variable > > $rights exists because it's a key in your $_SESSION array (don't shoot > > me if I'm wrong, I've never worked with 'register globals'). By using > > extract() without the $type parameter (so with EXTR_OVERWRITE set), > > the $type variable is overwritten. > > > > So do try commenting it out. > > > You may want to consider not saving the data for the user rights in the session if its getting funky. Do a general query to the table on each page load where you want to check the data and rely just on the session cookie. Then you can make a simpler check to see if the user still has those permissions. Aslo judging from your post, the biggest hole will likely be that you are referencing the auto number of the user's id that is being changed. Changing that parameter would all changes to another users account easily... I would suggest using a md5 or sha1 hash to offset that possibility. -- Bastien Cat, the other other white meat
