Contridentuallity

A large number of web programmers are using PHP as a primary programming language to create online applications, content management systems, or other small scripts. PHP is a great language and platform to work with, and definitely delivers the cherry on top of the cake. I've been programming in this language for a short while, and find the experience extremely pleasant.

Just as any other programming language, you need to follow general security measures and techniques to ensure that your content is safe and secure from malicious or unintended actions. I'm going to provide a simple sample which will make you realize how easy it sometimes is for a user to access content which you are trying to secure.

Let's say that you are requesting a user to login with a username and password, in order for the user to see/access certain content. You might have something like the below :

<?php

if ($_POST['username'] == "username" && $_POST['password'] == "password")
{
$access = 1;
};

secret();

function secret()
{
if ($access == 1)
{
SHOW SECRET CONTENT
}
else
{
DONT SHOW SECRET CONTENT
};
};

?>

So basically what this code does is it gets a posted username and password from a form on another page. It then checks whether the username and password is what you want it to be. If the username and password is what you want it to be, then the variable named $access will be equal to 1. But...

Any user can access the secret content by manually posting a value as 1 when register_globals are turned on.

This is just a basic sample, and I do realize that there are many ways to work around this, but below is the code which I would use to make this code more secure :

<?php

$access = 0;

if ($_POST['username'] == "username" && $_POST['password'] == "password")
{
$access = 1;
};

secret();

function secret()
{
if ($access == 1)
{
SHOW SECRET CONTENT
}
else
{
DONT SHOW SECRET CONTENT
};
};

?>

Note how I set the variable to 0 before executing the IF statement.

Just something to chew on.