On Friday 17 March 2006 15:10, Kevin Davies - Bonhurst Consulting wrote:
> I just picked up this thread, so excuse me if I'm repeating or have totally
> missed the point.
>
> Another concern I picked up from a PHP security book is using '--' - which
> simply comments out the remainder of the line (
http://www.virtuawebtech.co.uk
-Original Message-
From: tedd [mailto:[EMAIL PROTECTED]
Sent: 17 March 2006 14:30
To: php-general@lists.php.net; Rafael
Subject: Re: [PHP] Re: setcookie security concerns [medium]
Rafael:
>>>$thestyle= htmlentities($_POST['thestyle']);
>>set
(Comments inline)
tedd wrote:
[···]
From what I've read (PHP Cookbook by Sklar and other sources) the
reason why you don't want to use $_REQUEST is because it holds all the
variables from six global arrays, namely $_GET, $_POST, $_FILES,
$_COOKIE, $_SERVER, and $_ENV.
Actually, the
ass = '$pass'
Obviously restricting/validating form input entry would avoid this issue.
HTH,
Kevin
-Original Message-
From: tedd [mailto:[EMAIL PROTECTED]
Sent: 17 March 2006 14:49
To: php-general@lists.php.net; Rafael
Subject: Re: [PHP] Re: setcookie security concerns [medium]
Rafael wrote:
A tipical example would be a login script that uses the data
as it arrives, for example:
$login = $_POST['login'];
$passw = $_POST['passw'];
$sql = "SELECT * FROM user\n"
."WHERE( login = '$login' AND passw = '$passw' )";
In this case, what happens if I send so
Rafael wrote:
Actually, you receive $set via GET, so you should use $_GET
instead of $_POST. A lot of people use $_REQUEST (wich is a
combination of $_POST, $_GET and $_COOKIE -check the manual), but I
read somewhere that this isn't a good practice, though I don't
recall why :p
From what
Rafael:
Actually, you receive $set via GET, so you should use $_GET
instead of $_POST.
Yes, you are correct.
In my example --
http://www.sperling.com/examples/styleswitch/
-- the value doesn't look like it is being added to the url and thus
I mistakenly thought it was a POST. I wonder
(Comments inline)
tedd wrote:
[···]
One last question, considering the above code, would the following code
be a suitable replacement?
Actually, you receive $set via GET, so you should use $_GET instead of
$_POST. A lot of people use $_REQUEST (wich is a combination of $_POST,
$
Rafael:
You said:
Inspite of all this, I would really recomend you not to rely
on register_globals=On, since: it's not a good idea, it's actually
deprecated (someday it will be removed) and makes your code a little
bit more confused, since it's not clear where do that variables come
from.
As far as I see... I can't see any risk. Cookies are saved in the
client machine (i.e. the one visiting your site), so any code he might
send will be used with him only, and it will not affect other users nor
the scripts in the (remote) server.
Now, you're not using the input value in anyth
cookies work just fine with NS4x.
Here's one I use:
setcookie ("LastVisit", time(), time()+7776000);
Chad Day wrote:
This is with PHP 4.2 and register_globals off.
I am setting cookies and starting a session in the following fashion:
setcookie("EMAILADDR", $row[EMAIL], time()+2592000, '/', ".
>Can anyone tell me why the following setcookie()s fail?
>$expDate = mktime(12, 50, 30, 6, 20, 2010);
>setcookie("tzusercookie", $uid, $expDate);
>setcookie("tzpasscookie", $password, $expDate);
Among other stupidities, some versions of IE require that you provide *both*
date and directory, or *
If the different applications are on the same domain/ip you should use this:
("myCookie","$cookie_value",$timeToExpire);
note the missing parameter at the end
--
JJ Harrison
[EMAIL PROTECTED]
www.tececo.com
"Gaylen Fraley" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PRO
Hi David,
Your question has seen much debate in this newsgroup. I had much the same
problem and solved it by writing the following function:
/**
* wrapper for header( "Location: url" )
*/
function redirect( $url, $showMoved=false ) {
// set refresh to target $url
header( "Refresh: 0; url=$
5:14 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Re: setcookie problem: Cannot add header information -
headers already sent by
I don't think you can have an empty line (even in the php) before cookies
are set
"Frank Ramsay" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECT
I don't think you can have an empty line (even in the php) before cookies
are set
"Frank Ramsay" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Cookies have to be set before the block begins.
>
> -fjr
>
> Bob wrote:
>
> > here is the example:
it in
my code.
Bob: after the page bombs-out with error message, do a view source on the
displayed web-page
-Original Message-
From: Frank Ramsay [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 13, 2002 7:17 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Re: setcookie problem: Cannot add h
Cookies have to be set before the block begins.
-fjr
Bob wrote:
> here is the example:
>
> // Beginning php
>
> // Saving the page header in the variable $head.
> $head = <<
>
>
> Feedback form
>
>
>
> Feedback form
> ENDH;
> // End of page header
>
> //
On Sun, 2002-01-06 at 16:01, Tyler Longren wrote:
> I have checked the manual. A few times actually.
>
> I have setcookie("usename", "$username");
> Will that cookie never expire? Or will it expire at the end of the browsing
> session? I couldn't find any details on that in the manual.
>
> Ty
---
From: "George Nicolae" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, January 06, 2002 2:03 PM
Subject: [PHP] Re: setcookie()
> man first of all look in the manual. there it is very clear...
>
> http://www.php.net/manual/en/function.setcookie.php
man first of all look in the manual. there it is very clear...
http://www.php.net/manual/en/function.setcookie.php
--
Best regards,
George Nicolae
IT Manager
___
X-Playin - Professional Web Design
www.x-playin.f2s.com
"Tyler Longren" <[EMAIL PROTECTED]> wrote in message
0009
Kris Wilkinson wrote:
> Just recently I've noticed an issue with setcookie. My scripts which
> normall ran :
>
> setcookie ("myCookie","Blah","time()+7201");
>
> Are killing the cookie immediately after you close the browser window, or
> access another https:// site. It appears as though the li
22 matches
Mail list logo