--- Ken Nagorski <[EMAIL PROTECTED]> wrote:

> I have never used cookies before, however I am trying to
> implement them to make things a little more secure. Rather
> than passing a sql statement via a hidden input tag I am
> setting a cookie.

I think someone else already mentioned this, but let me emphasize
that this is a terrible idea and definitely does not make things a
little more secure.

The best analogy I can think of for a cookie would be handing out
name tags to people who visit your site. Imagine that you write the
following SQL on someone's name tag:

select * from foo where unique_id='12345'

This helps you distinguish them from the next person who may have a
unique identifier of 23456. While this might work for those who play
by the rules, you are placing a tremendous amount of trust in these
people. What if someone erased what you wrote on their name tag,
replacing it with this:

delete from foo

If you were to trust this person's name tag the next time you saw
them, you would delete all of the data from that table.

In addition to this, hidden form variables are just as bad. It is a
different method, but you are still basically sending something to
the client and just trusting the client to return exactly what you
sent. Placing so much trust in the client is never a good idea.

I would recommend abandoning these methods for anything that you, as
you say, are wanting to make more secure. Look into using sessions
instead. When you use sessions, the only sensitive data you trust the
client to return to you is PHPSESSID. While there are some dangers
associated with this trust, it is a more tolerable risk. When you set
a session variable, it is kept safely on the server, so it is at
least much less convenient for an attacker to alter this data,
because only you can do that.

I hope this helps you get started down the right path. There are
methods you can use to further mitigate the risk of trusting the
client's PHPSESSID, but that can be discussed later.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to