> The more secure method ensures it MUST come from a form. Be > advised: the user can create his own form with $admin as a variable > and submit it to your PHP script. Therefore, additional precautions > and authentication are warranted.
And what should these precautions be? If a malicious user can submit his own form and you are looking for a POST variable, how can you ensure that $admin came from your form and not that user's? And if that same user can hijack a session, that makes it so you have even less precautions you can take. I'm honestly interested in this. I've read the security section of the manual, read similar threads and each time, I've come to the conclusion that you can really only ever be so secure. And that all of the tests, checks, balances you may implement are all for naught where a really determined malicious user is concerned. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
