Example 15-15. Example use of sessions
with register_globals on or off
<?php
// We wouldn't know where $username came from but do know
$_SESSION is
// for session data
if (isset($_SESSION['username'])) {
echo "Hello <b>{$_SESSION['username']}</b>";
} else {
echo "Hello <b>Guest</b><br />";
echo "Would you like to login?";
}
?>
It's even possible to take preventative measures to warn
when forging is being attempted. If you know ahead of time
exactly where a variable should be coming from, you can
check to see if the submitted data is coming from an inappropriate
kind of submission. While it doesn't guarantee that data
has not been forged, it does require an attacker to guess
the right kind of forging. If you don't care where the request
data comes from, you can use $_REQUEST as it contains a
mix of GET, POST and COOKIE data. See also the manual section
on using variables from outside of PHP.
|
