Question : PHP: Are sessions variables safe?

Hi All,

Are PHP session variables safe?

I.e. is there a way the someone to read them or change them?

Thanks in Adv

Answer : PHP: Are sessions variables safe?

Remember that PHP security is a LAYERED thing. There is no one single fix that turns security on and locks it down tight.

In general, sessions are secure unless you leave a hole elsewhere. XSS attacks work in PHP when you let javascript get posted into an HTML input field so this

<input name='whoops' type='text' />
...
echo $_POST['whoops'];

is insecure because I could enter <script>....malicious code ...</script> whereas this

<input name='whoops' type='text' />
...
echo strip_tags($_POST['whoops']);

is more secure because it eliminates javascript from the input stream. PHP can bit you on the bum in surprising ways, for instance the whole $_SERVER array is injectable by javascript and $_REQUEST is easily manipulated as well. So never, ever do

$aaa = $_SERVER['PHP_SELF'];

always

$aaa = strip_tags($_SERVER['PHP_SELF']);

Also, read up on the FILTER mechanisms in PHP 5.2+

http://www.php.net/filter_var

Random Solutions

Virus and/or Malware redirecting my links

Windows 7 best practices for VMware view

Why centos live cd so slow, and can not mount local HDD?

From where I can download HP Smartstart version 8.40

jQuery ajax update multiple fields

Checklist for Windows 2003 AD upgrade to Window 2008 AD

offline files for Mac?

How to remove white space showing up on website

SharePoint 2007 / InfoPath 2007 - Approval Workflow Advice Needed

Saving attachments from Lotus iNotes 8.5.1 on Windows 7