|
|
Posted by Jerry Stuckle on 04/13/07 12:27
Baeribeeri wrote:
> On 11 Apr., 14:49, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>> First of all, don't use session_register(). It's not needed. Just use
>> the $_SESSION array.
>>
>> Then ensure you aren't accidentally changing $_SESSION['bilder'] or
>> $bilder. It's easy to do with $register_globals on. IOW, is the code
>> you showed all the code, or just an excerpt.
>>
>> And if this is a shared host, I would change hosting companies. The
>> security warnings have been out there for years - and I wouldn't trust
>> anyone who hasn't learned by now the potential problems it causes.
>
> Yes, it is an excerpt. The complete code of the php file is more than
> 500 lines long. And, yes, I changed some values of the array bilder[].
> I have to do this, because in the first step, the customer uploads the
> photos and in the second step the customer chooses the format and the
> number of copies, the material and so on.
>
> But I found a workaround, that looks much better for me. I only use
> the session to transport a session id. All contents of the variables
> are stored in a MySQL database table, which will be deleted after the
> complete order. Stuck orders will be deleted automaticly after two
> days with a cron job script.
>
That's one way to do it.
> BTW, my webhoster is the number two in size in Germany.
>
That doesn't mean they know anything about security. I've seen some
pretty big hosting companies who got that way only because they were
cheap. And these usually have the cheapest tech support people (i.e.
the least knowledgeable - or the least caring).
No way would I ever stay with someone who has register_globals on, no
matter how big/rich/whatever they are. It shows a definite lack of
technical competence and/or a lack of caring about security.
> But thanks for your help. Enjoy the spring weather (in Germany it is
> really wonderful in the moment.)
>
> Hartmut Jäger (www.jaeger-edv-service.de)
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|