On Sun, May 8, 2005 3:20 pm, Josip Dzolonga said: > On нед, 2005-05-08 at 23:16 +0200, Andy Pieters wrote: >> Notes: >> * just because it comes from SESSION doesn't mean that it cannot be >> spoofed. >> That's why you should escape uname before including it in a query. > > Is there something I do not know ? :). As far as I know, it can be > spoofed only if you have access to session data, which is held on the > server-side, so only someone with server access can spoof. Any other way > of doing it ? Are you on a shared server? Then your session data is open to the other 199 clients on that server... If you are *NOT* on a shared server, and if you are 100% confident that nobody will ever compromise your server, and make your $_SESSION data a priority to hack, well then, you're "safe"... How much effort does it take to scrub your $_SESSION data, though? What are you storing in there? How "Bad" will it be if a Bad Guy breaks in and snarfs it? Only you can answer these for a dedicated server/application. Not scrubbing $_SESSION on a shared server... That's just wrong, IMHO. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
