|
|
|
If you base your actions about data from a cookie than you have a security whole.
Lets say that you want to let a user edit his/her details and you know who the user
is from a cookie you put on his computer. Now you assume that $user (just an example)
has the value you put there right? WRONG!!!!
If i go to the url and do http://www.MyDomain.com?MyScript.php3?user=berber
than $user will uave the value berber and if i do :
http://www.MyDomain.com?MyScript.php3?user=joe
than $user will uave the value joe which means that if you have a user
joe than i can see and edit his details.
What can you do?
Well, two things :
1. The simplest thing to do is check the URI :
$URI=getenv("REQUEST_URI");
If(strstr($URI,"user")) {
echo"This data is not coming from a cookie";
exit();
}
2. The more compex but more clean way of doing this is by using $HTTP_COOKIE_VARS["user"]
but In order for the various $HTTP_*_VARS[] arrays to exist, you need to turn
on track_vars. You can also turn track_vars on for a specific script by adding:
<?php_track_vars?> as the FIRST line of your script.
berber
|
|
| Make old style (PHP3) scripts using GET, POST, COOKIE and File uploads (POST) compatible with
PHP 4.2.0
Categories : PHP, HTML and PHP, Global Variables, Cookies, Variables | | | getting the name of the current script and query string
Categories : PHP, Global Variables, Variables, URLs | | | Initialize global variables for every field in a table.
This version requires that phplib is installed on your
server.
Categories : Global Variables, MySQL, PHP, Variables | | | Simple script to passing persistent and growing array between recalls of one page (manipulate little stack).
Categories : Arrays, Global Variables, PHP, HTML and PHP, Variables | | | Global Dump Highlighted
Categories : PHP, Variables, Global Variables | | | A flat file counter
Categories : PHP, Cookies, Filesystem, Beginner Guides | | | The following snippet gives complete info about all submitted
HTTP_POST_VARS and HTTP_GET_VARS
Categories : Variables, HTTP, PHP | | | clearing variables in php3
Categories : Variables, Arrays, PHP | | | How to display a PHP variable value from a selectbox without reloading the
page by merging PHP and Javascript variables.
Categories : PHP, Java Script, Variables | | | Dump the contents of a PHP variable in html format with a recursive list of subfolders and files from a given root directory.
Categories : PHP, Directories, Variables, Arrays | | | translate.php - Assocciative array example, passing a reference to a function.
Categories : PHP, Arrays, Languages, Variables | | | This functions compares the current PHP version with a
desired version. Because of the 3 tiered version system, a
direct compare of a string to phpversion() will not be
accurate.
Categories : PHP Configuration, PHP, Variables | | | Complete, simple working example of login screen and check on a unique page using php functions, cookies and mysql database.
Categories : PHP, Cookies, MySQL, HTML and PHP, Authentication | | | cookie
Categories : Cookies, PHP | | | PHP4 MYSQL Authentication Script with cookie. Short & Sweet
Categories : Authentication, Apache, Cookies, PHP, MySQL | |
| | | | tr909 dr ummachine wrote :408
yes, but maybe store a MD5($password) too in the
cookie and then check it in those edit-pages against the
database.
| |
|
|
|
