Posted by Sebastian Lisken on 01/18/08 16:05

Thanks a lot for your response. I have a few questions/remarks ...

R. Rajesh Jeba Anbiah <ng4rrjanbiah@rediffmail.com> wrote:
> 1. mysql_real_escape_string() is again broken. Use prepare statements

That sounds like something I should look into. Could you explain or
point to some source on the web? I'd want to know in what sense it is
broken, and although I glanced over PREPARE in the MySQL manual I can't
yet see how that would resolve things. PREPARE seems to be SQL (unless
you are referring to http://www.php.net/pdo-prepare) so I would still
be wondering how to get my string from PHP over to SQL.

> 2. Disable trans sid--always use cookies based session

Yes. I'm not relying on trans sid anyway (there's a lengthy dispute
about that in this thread) but using "manual" insertion of SID to get
the same behaviour. As it happens, the option is off on the server. I
think the message is not about use_trans_sid versus SID, it's independent
of that and more fundamental: require cookies, don't let session IDs
show up in URLs. I agree in principle. Whether it needs to be put into
practice for this site is a matter I need to discuss with my client. They
will need to balance security with compatibility.

> 3. Possibly use DB based session handler

The security requirements are probably not high enough for that (and the
budget not available), but it's something I'll keep in mind.

> 4. Some versions of PHP has XSS issues with $_SERVER['PHP_SELF']. So,
> use $_SERVER['SCRIPT_NAME']

When I did my research I realised I couldn't trust PHP_SELF, so I'm
always escaping it (using htmlentities in the most frequent application,
where PHP_SELF is used for a href value possibly followed by URL
parameters). Using SCRIPT_NAME would be another solution, I agree.

> 5. Session Ids can be "fixed". So, if you're concerned use DB based
> sessions and use session_regenerate_id()

I am introducing session_regenerate_id.

Sebastian

[Back to original message]