--- Ryan A <[EMAIL PROTECTED]> wrote:
> Yep, I just created the session and nothing beyond. Am new to PHP
> and first time/project user with sessions.
Right. I think this needs to be made clearer in the manual myself, and I might
add something to drive the point home. PHP sessions are a mechanism, not an
entire solution.
> now what to do?
I think step one is to determine exactly what is happening. Now, I don't mean
that you have to know how it is happening, only what is happening. If you have
a session variable $foo (assuming register globals), and the end user is able
to modify this variable, that is what is happening.
Given this, here is an important point to grab onto:
Session variables cannot be manipulated by the client.
Trust this, and build on that trust. Now, I know this is exactly what you think
is happening, so you're probably having a hard time trusting this statement.
Let me elaborate on what I mean.
When the client sends data in an HTTP request, there are three common methods:
1. In an HTTP header, such as Cookie
2. In the HTTP content of a POST request
3. In the URL of a GET request
Regardless of which method, once your script begins processing, the time when a
client can send data is over. Think about this carefully. This means that when
you fetch data from the session store, any potential collisions overwrite what
the client sent, not your session data.
What else does this mean? You should always initialize every global variable
you use when register_globals is enabled. There should be no exceptions to
this.
If you can provide more details, we might be able to provide more direction.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
