Jump to content

Archived

This topic is now archived and is closed to further replies.

jaymc

Session Security

Recommended Posts

Right, Im just wondering how much I can rely on the security of SESSIONS

On my site, I use a lot of $_GET which is obviously an ideal opportunity for hackers to code inject

However, When querying or updating mysql, I also use the following method

[code]$user = $_SESSION['user'];
$query = "SELECT * FROM `members` WHERE `username` = $user LIMIT 0,1"[/code]

As you can see, it will only query the row that has a username equal to $user

[b]
Now, what are the chances of a hacker spoofing the session to make it equal what ever they want[/b]

Share this post


Link to post
Share on other sites
They wont.

As the session is stored on the server and not on the client. The only way for a hacker to spoof a session is by getting a valid session id. In order to get the session id they need to be in the same room as you.

Also about $_GET you should be validating the input not use raw GET data.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.