|
|
Posted by Jerry Stuckle on 12/06/06 04:57
Sanders Kaufman wrote:
> Jerry Stuckle wrote:
>
>> Sanders Kaufman wrote:
>
>
>>> If not - then the whole security issue is resolved by using $_GET and
>>> $_POST correctly, right?
>>
>>
>> Yes, you can use $_GET and $_POST (and $_SESSION). And if you leave
>> register_globals off, then you *must* use them. Less chance for error.
>
>
> So - as long as I explicitly reference $_SESSION[] when continuing a
> session, I'm not subject to the security vulnerabilities of
> register_globals, right?
>
True - but ANY misstep can be disastrous. The problem is,
$i = $MyVar;
doesn't cause an error of $MyVar hasn't been explicitly assigned a value
in your code, but it is in the $_SESSION, $_POST, $_GET or $_COOKIES
(forgot the last one) array. That's very dangerous.
> One more thing - on the session token.
> I notice that PHP puts it in the query string.
> Is it possible to force that into a cookie?
>
> I know this will mess with folks who turn cookies off, but I'm
> accounting for that elsehow.
PHP can put it in a cookie if the user has cookies enabled. This is
controlled by the session.use_cookies and session.use_only_cookie in
your php.ini file.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|