Re: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread Duncan Hill
On Friday 17 March 2006 15:10, Kevin Davies - Bonhurst Consulting wrote: > I just picked up this thread, so excuse me if I'm repeating or have totally > missed the point. > > Another concern I picked up from a PHP security book is using '--' - which > simply comments out the remainder of the line (

RE: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread Dan Parry
http://www.virtuawebtech.co.uk -Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: 17 March 2006 14:30 To: php-general@lists.php.net; Rafael Subject: Re: [PHP] Re: setcookie security concerns [medium] Rafael: >>>$thestyle= htmlentities($_POST['thestyle']); >>set

Re: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread Rafael
(Comments inline) tedd wrote: [···] From what I've read (PHP Cookbook by Sklar and other sources) the reason why you don't want to use $_REQUEST is because it holds all the variables from six global arrays, namely $_GET, $_POST, $_FILES, $_COOKIE, $_SERVER, and $_ENV. Actually, the

RE: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread Kevin Davies - Bonhurst Consulting
ass = '$pass' Obviously restricting/validating form input entry would avoid this issue. HTH, Kevin -Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: 17 March 2006 14:49 To: php-general@lists.php.net; Rafael Subject: Re: [PHP] Re: setcookie security concerns [medium]

Re: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread tedd
Rafael wrote: A tipical example would be a login script that uses the data as it arrives, for example: $login = $_POST['login']; $passw = $_POST['passw']; $sql = "SELECT * FROM user\n" ."WHERE( login = '$login' AND passw = '$passw' )"; In this case, what happens if I send so

Re: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread tedd
Rafael wrote: Actually, you receive $set via GET, so you should use $_GET instead of $_POST. A lot of people use $_REQUEST (wich is a combination of $_POST, $_GET and $_COOKIE -check the manual), but I read somewhere that this isn't a good practice, though I don't recall why :p From what

Re: [PHP] Re: setcookie security concerns [medium]

2006-03-17 Thread tedd
Rafael: Actually, you receive $set via GET, so you should use $_GET instead of $_POST. Yes, you are correct. In my example -- http://www.sperling.com/examples/styleswitch/ -- the value doesn't look like it is being added to the url and thus I mistakenly thought it was a POST. I wonder

Re: [PHP] Re: setcookie security concerns [medium]

2006-03-16 Thread Rafael
(Comments inline) tedd wrote: [···] One last question, considering the above code, would the following code be a suitable replacement? Actually, you receive $set via GET, so you should use $_GET instead of $_POST. A lot of people use $_REQUEST (wich is a combination of $_POST, $