Question : PHP: Are sessions variables safe?

Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?

Thanks in Adv

Answer : PHP: Are sessions variables safe?

Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var

Random Solutions

Add comments to PDF

BES Activation issue

Script to enable folder auditing

How do I silently uninstall vSphere Client?

Properties group in usercontrol

SharePoint - single user can't access Rich Text Editor

virus/hacker changed computer registered owner

how to transfer apps from my iphone to my itunes library

Php and Apache server 2.2

WDS Server 2008 R2 - PXE Error