PHP 4.1.0
Looks like the finally fixed PHP like I had it worked out in my head. In the new 4.1.0 version they added an option so CGI/Form variables are not automatically created as PHP variables. In the below example it would be really easy to hack this script, just pass in authenticated in the CGI.
With the new version, the form variables get put in their own arrays, that you would have to call. In this example it would get: $_GET['authenticate']; So you have to explicitly call the variable now, which should make it more secure.
<?PHP>
if (authenticate_user()) {
$authenticated = true;
}
...
?>
With the new version, the form variables get put in their own arrays, that you would have to call. In this example it would get: $_GET['authenticate']; So you have to explicitly call the variable now, which should make it more secure.