Forms, SPAM and Sessions

jasonyoung

I have read up on most of the threads on this, but I need some clarification. If my form is behind a login (which looks up a MySQL entry) and I have all subpages referring back to the login page of they have not authenticated, how vulnerable to injections am I? Seems like my forms are protected. Am I missing something?

I realize this is a VERY open ended question.

crazychris

if each page loads the login script, and the login script does a header() redirect then die() (or some other similar method) then it should be ok. If the script uses include() files, then they should always check to make sure they were not called directly (e.g. define a var in the master page, check for it in the included pages)

Remember boys and girls, always die() after a header() redirect call.

jasonyoung

So if the very top of EVERY subpage has this:

<?php
   session_cache_limiter('private, must-revalidate');
   session_start();

   if (@$_SESSION['auth'] != "yes")
    {
      header("Location: logon.php");
      exit();
    }
?>

I should be OK, or do I need a die statement added. If so, where?

Thanks

crazychris

die() and exit() are the same. That looks good.