--- Ken Nagorski <[EMAIL PROTECTED]> wrote: > I have never used cookies before, however I am trying to > implement them to make things a little more secure. Rather > than passing a sql statement via a hidden input tag I am > setting a cookie.
I think someone else already mentioned this, but let me emphasize that this is a terrible idea and definitely does not make things a little more secure. The best analogy I can think of for a cookie would be handing out name tags to people who visit your site. Imagine that you write the following SQL on someone's name tag: select * from foo where unique_id='12345' This helps you distinguish them from the next person who may have a unique identifier of 23456. While this might work for those who play by the rules, you are placing a tremendous amount of trust in these people. What if someone erased what you wrote on their name tag, replacing it with this: delete from foo If you were to trust this person's name tag the next time you saw them, you would delete all of the data from that table. In addition to this, hidden form variables are just as bad. It is a different method, but you are still basically sending something to the client and just trusting the client to return exactly what you sent. Placing so much trust in the client is never a good idea. I would recommend abandoning these methods for anything that you, as you say, are wanting to make more secure. Look into using sessions instead. When you use sessions, the only sensitive data you trust the client to return to you is PHPSESSID. While there are some dangers associated with this trust, it is a more tolerable risk. When you set a session variable, it is kept safely on the server, so it is at least much less convenient for an attacker to alter this data, because only you can do that. I hope this helps you get started down the right path. There are methods you can use to further mitigate the risk of trusting the client's PHPSESSID, but that can be discussed later. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
