Ten Security Checks for PHP, Part 2
Subject:   Avoid Loose Typing Intricacies - fix
Date:   2003-04-08 00:58:01
From:   clancymalcolm
Response to: Avoid Loose Typing Intricacies - fix

The code is certainly not intended for a production site - the code was given as an example of what _NOT_ to do. The text discussing the code illustrates these flaws. It is based on the security hole found in PHPMyAdmin some time ago, but simplified for clarity and the ability to run as a stand-alone script. Your suggestion is certainly valid and follows the advice in the "Possible Fixes" section for this hole.

If you are designing an application from scratch I would advise using a standard library such as the PEAR authentication library or the older PHPLib library - this way you get the benefit of code that is (hopefully) reviewed by lots of other developers and well tested. However, there are still many applications that use their own authentication mechanisms and these are frequently flawed. The example aims to illustrate a flawed implementation so that you are able to identify and fix such holes.