Rick Brewster made this comment on my previous post about the Inconsistent FileDialogs.
So I decided to fire up his solution:
I’ve created an empty WPF project, with a Window called ‘Main’ with the following code:
/// Interaction logic for Main.xaml
public partial class Main : Window
OpenFileDialog myOpenFileDialog = new OpenFileDialog();
This opens the ‘old’ style FileDialog, with the outdated icons.
To resolve this you can add a manifest in your project:
The manifest should be named NameOfYourStartUpProject.exe.manifest (as pointed out above), it should be a text file containing the following code:
Change the name on the 5th line to the name of your project!
Now go to properties and point to the manifest.
Now compile, and test if you see the new type icons 🙂
Some people do this in their code to check if the user is logged in:
if(!isset($_SESSION['loggedIn']) || $_SESSION['loggedIn'] == false)
header(sprintf("Location: http://%s/login.php", $_SERVER['SERVER_NAME']));
//Handle POST input for CMS
//display the rest of the page
You get the point.
This is NOT as secure as you might think. You are depending on the user’s browser to redirect to that particular page.
Should the browser be set to ignore that, they can view your page.
I’ve got this concept code:
Then you open a telnet connection to that particular page, for this example it’s index.php on localhost:
- Open cmd
- telnet to localhost
- Set the parameter
- Press Control + ]
- Hit enter
- Send the HTTP request
GET / HTTP/1.1
- Hit enter
- Hit enter twice
You’ll see the following result:
HTTP/1.1 302 Redirect
Content-Type: text/html; charset=UTF-8
Set-Cookie: ZDEDebuggerPresent=php,phtml,php3; path=/
Date: Tue, 14 Apr 2009 20:19:22 GMT
Object MovedThis docume
nt may be found hereSecure stuff
Connection to host lost.
As you can see the ‘Secure stuff’ sentence is still printed. This is only 1 line, but it is possible that you display a whole page, and this can be exploited by a hacker.
So what can you do?
- Add a die() after the header
- Put the rest of the page in the else block
- Check if user is logged in in each POST which accesses secure stuff.
The last one is a little harder, since you have to do it on every if statement. I’d go with the first, but the second is as good. If you use the last one: remember that the hacker still can see the whole page, which might give him sensitive information.