champoi Posted November 27, 2008 Share Posted November 27, 2008 as the title says, are $_session variables invulnerable to sql injections? i know that $_post and $_get variables can be targets for sql injections, just wondering if its the same with $_session, Quote Link to comment Share on other sites More sharing options...
Mchl Posted November 27, 2008 Share Posted November 27, 2008 Only you (the programmer) can put something into $_SESSION variable, so it's up to you. Quote Link to comment Share on other sites More sharing options...
btherl Posted November 28, 2008 Share Posted November 28, 2008 $_SESSION only stores data for you. If you take data from a user that contains an sql injection, store it in $_SESSION then take it out, then you are still at risk. But if you take data from the user (from $_POST for example), sanitize it, then store it in $_SESSION, then it is now safe data. So $_SESSION basically has no effect on safety of variables, since session data is set by you, not by the user. The thing to check is whether the data you put in $_SESSION originated from $_POST or $_GET (or $_REQUEST or $_COOKIE) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.