|
Posted by Josip Dzolonga on 10/21/58 11:16
On нед, 2005-05-08 at 23:16 +0200, Andy Pieters wrote:
> Notes:
> * just because it comes from SESSION doesn't mean that it cannot be spoofed.
> That's why you should escape uname before including it in a query.
Is there something I do not know ? :). As far as I know, it can be
spoofed only if you have access to session data, which is held on the
server-side, so only someone with server access can spoof. Any other way
of doing it ?
Josip Dzolonga
http://josip.dotgeek.org
Navigation:
[Reply to this message]
|