Posted by Jerry Stuckle on 09/22/07 13:57

pepper.gabriela@gmail.com wrote:
> On 18 Set, 02:58, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>> And a hacker couldn't register and get a session active? Quite easy.
>>
>
>
>
> I don't know!
> Could an hacker control the value of a specified session variable? I
> hope not! :-)
> How does the hacker know the name of a session variable and its right
> value?
>
> I define:
>
> $_SESSION[$username][$randomValue] = $fixedValue;
> How could the hacker infer:
> - the name of the user;
> - the random number (previously generated and only active when logged
> in);
> - the fixed value for test;
>
>
>

I didn't say the hacker could change the value of a session variable.
But that's not what your problem is.

What I'm referring to is someone hacker registering on your site. Then
at a later time, once he's been authorized, he hacks your site and
starts spamming. But the time you catch him, you've been shut off
because you're a spam relay.

The bottom line here is - NEVER, NEVER, EVER trust data from the user.
Always validate it server side. And always watch for hack attempts.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]