Rafael:
?php
$thestyle= htmlentities($_POST['thestyle']);
setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
header(Location: $HTTP_REFERER);
?
Actually, you receive $set via GET, so you should use $_GET
instead of $_POST.
Yes, you are correct.
In my example --
Rafael wrote:
Actually, you receive $set via GET, so you should use $_GET
instead of $_POST. A lot of people use $_REQUEST (wich is a
combination of $_POST, $_GET and $_COOKIE -check the manual), but I
read somewhere that this isn't a good practice, though I don't
recall why :p
From what
Rafael wrote:
A tipical example would be a login script that uses the data
as it arrives, for example:
$login = $_POST['login'];
$passw = $_POST['passw'];
$sql = SELECT * FROM user\n
.WHERE( login = '$login' AND passw = '$passw' );
In this case, what happens if I send
this issue.
HTH,
Kevin
-Original Message-
From: tedd [mailto:[EMAIL PROTECTED]
Sent: 17 March 2006 14:49
To: php-general@lists.php.net; Rafael
Subject: Re: [PHP] Re: setcookie security concerns [medium]
Rafael wrote:
A tipical example would be a login script that uses
(Comments inline)
tedd wrote:
[···]
From what I've read (PHP Cookbook by Sklar and other sources) the
reason why you don't want to use $_REQUEST is because it holds all the
variables from six global arrays, namely $_GET, $_POST, $_FILES,
$_COOKIE, $_SERVER, and $_ENV.
Actually,
://www.virtuawebtech.co.uk
-Original Message-
From: tedd [mailto:[EMAIL PROTECTED]
Sent: 17 March 2006 14:30
To: php-general@lists.php.net; Rafael
Subject: Re: [PHP] Re: setcookie security concerns [medium]
Rafael:
?php
$thestyle= htmlentities($_POST['thestyle']);
setcookie ('thestyle', $set, time
On Friday 17 March 2006 15:10, Kevin Davies - Bonhurst Consulting wrote:
I just picked up this thread, so excuse me if I'm repeating or have totally
missed the point.
Another concern I picked up from a PHP security book is using '--' - which
simply comments out the remainder of the line (with
Rafael:
You said:
Inspite of all this, I would really recomend you not to rely
on register_globals=On, since: it's not a good idea, it's actually
deprecated (someday it will be removed) and makes your code a little
bit more confused, since it's not clear where do that variables come
from.
(Comments inline)
tedd wrote:
[···]
One last question, considering the above code, would the following code
be a suitable replacement?
?php
$thestyle= htmlentities($_POST['thestyle']);
setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
header(Location: $HTTP_REFERER);
?
As far as I see... I can't see any risk. Cookies are saved in the
client machine (i.e. the one visiting your site), so any code he might
send will be used with him only, and it will not affect other users nor
the scripts in the (remote) server.
Now, you're not using the input value in
10 matches
Mail list logo
