From: "Chris" <[EMAIL PROTECTED]>
> Not really,
> because the script filename is deleted and changed all the time, it
doesn't
> matter if they paste the name into the form, since the file will no longer
> exist.
>
It has to exist long enough for your form to post to it, which is long
enough for their form to post to it as well.
> Yes, but that's not going to do me any good because it is
> valid for one user to act on behalf of another (as a broker,
> if you will). So the currently logged in user might not be
> the one who's ID is in the hidden field...
So how do you verify that the logged in user is allowed to act on behalf of
the other ID? You just have to keep reverifying that the client is allowed
to do what they're doing.
It's a chore I know - security usually is :(
Cheers
Simon Garner
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
