|
Posted by Richard Lynch on 05/09/05 03:52
On Sun, May 8, 2005 3:20 pm, Josip Dzolonga said:
> On нед, 2005-05-08 at 23:16 +0200, Andy Pieters wrote:
>> Notes:
>> * just because it comes from SESSION doesn't mean that it cannot be
>> spoofed.
>> That's why you should escape uname before including it in a query.
>
> Is there something I do not know ? :). As far as I know, it can be
> spoofed only if you have access to session data, which is held on the
> server-side, so only someone with server access can spoof. Any other way
> of doing it ?
Are you on a shared server?
Then your session data is open to the other 199 clients on that server...
If you are *NOT* on a shared server, and if you are 100% confident that
nobody will ever compromise your server, and make your $_SESSION data a
priority to hack, well then, you're "safe"...
How much effort does it take to scrub your $_SESSION data, though?
What are you storing in there?
How "Bad" will it be if a Bad Guy breaks in and snarfs it?
Only you can answer these for a dedicated server/application.
Not scrubbing $_SESSION on a shared server... That's just wrong, IMHO.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|