[RESOLVED] Security path ............

whisher06

Hi.
I'm working on a system to reset
the user password.
To making the script safer against
hacking I made this simple snippet:

<?php 
function checkPath($findMe)
{
	$path =  basename($_SERVER['PHP_SELF']); 
 	return strpos($path, $findMe);
}
$findMe  = "PW";

if (checkPath($findMe) === false) 
{// REDIRECT
   echo "NO GOOD";
} 
else 
{
   echo "GOOD";
}
print_r($_GET);
?>

I'm putting it in ie reset.php and
the page will be redirect unless
you don't set your path like this reset.php/PW.
(To working the script will have got a path like this
reset.php/PW?r=6e029fbfa817dfc458598a5d38a6755f)
What do you think about ?
Do you have any tip ?
Bye.

bradgrafelman

whisher06 wrote:
To making the script safer against hacking

What kind of hacking?
I don't see how this makes it any 'safer'...?

whisher06

Thanks for the replay.

What kind of hacking?

Not a really hacking but you can only access
the script with reset.php/PW?r=something and not ie reset.php?r=something.
It is a good trick, is it ?

I don't see how this makes it any 'safer'...?

As above.

Do you have any tip to protecting the page in a
better way ?

Bye.

bradgrafelman

I guess I just don't see how the two are any different... if someone stole the hash to reset a password, all they have to do is glance at a valid link (perhaps generated for their own account) and they'd know to do the same.

Basically... if you're worried about someone who's smart enough to start manipulating the URL and alter values, don't you think they'll be smart enough to type three more characters... "/PW?" ?

whisher06

Hi and thanks a lot for your remark.
I've changed my mind about my 'security page'
it was just a test (I think not a smart one 😉 ).
I completely agree with you.
Bye and thanks again.