$LOGGED_IN = TRUE;
session_register("LOGGED_IN");
That worked fine, up until I realized that when I appended an argument to the URL, I could spoof the log-in mechanism (as in http://www.negativetwenty.com/index.php?LOGGED_IN=TRUE).
This obviously is not good. So I consulted my good friend phpinfo() for an answer. As it turns out, this issue is much easier to fix than I would have thought.
Calling upon its vast C roots, PHP has the HTTP_SERVER_VARS of “argc” and “argv” that work just like argc and argv for C command line programs. PHP also stores the current page in an internal variable called PHP_SELF. With that said, I derived the following:
<?php
if($HTTP_SERVER_VARS["argc"] != 0) // If someone is trying to pass an argument
Header("Location: $PHP_SELF"); // Then reload the page argument-free
blah . . . // Otherwise load page normally
?>
Since this uses internal PHP variables, I believe it is web server independent, but I’m not sure about that. It apparently works fine on apache and IIS, which are the two big web servers in usage today.
Hope this helps someone else out. Let me know if you have any issues with it.
-Kevin
