on 28/11/02 9:22 AM, Evan Nemerson ([EMAIL PROTECTED]) wrote:

> I'm not worried about them using the query string for malicious purposes- I
> have register_globals off... I'm worried about someone messing with their
> cookie and sedding authorized to true- that _will_ change my $_SESSION
> variable, unless I can find some way to ignore cookies, which brings us back
> to my original question- how do i ignore all client input, _especially_
> cookies???

Turn register globals off (as you have).  Then NEVER pull any data out of
the $_COOKIES array, and you're now "ignoring" cookies :)  Perhaps a further
step is to call something like unset($_COOKIES) at the top of every
script... but I'm not sure how unset() works with the super global arrays.

Justin French
Web Development & 
Graphic Design

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to