PHP Security &amp; Firefox

PHP Security & Firefox

iceomnia

PHP Code:
$player=addslashes($_SESSION['player']);

In firefox you can edit session varibles. so watch out.

I just read this is another thread......

Hello!!! - Does this mean that firefox browser can change php session variables?

That's crazy!

laserlight

As I pointed out in that thread, I believe the user who made that claim is in error. The content of session variables are stored server side, so I reason that the client cannot arbitrarily alter them. What the client can do is change the session id, be it by changing the session cookie, or the session id passed in the query string. The client can also indirectly alter the content of session variables via your script, but that is to be expected (e.g., if you store the username as a session variable, a change of username using a form would eventually propagate to a change of the value of that session variable).

NogDog

No, you could only change the session ID by changing the session cookie. This would be useless unless you were able to successfully guess the session ID of some set of session data currently saved on the server (i.e.: "session hijacking"). The actual session data is in a file on the server, and so can only be altered by some program running on the server or some user logged in on the server (and with permissions to alter that file).

NogDog

PS: All data received from the client must be considered as possibly being invalid/unsafe, as your server-side scripts are entirely dependent on what the client sends them, and any half-ways decent hacker can wrtie scripts/programs to send whatever HTTP headers/data he wants to send to your web host.

laserlight

All data received from the client must be considered as possibly being invalid/unsafe

Indeed. For reference, the thread referred to is Error, not solved yet, please help 🙂. I repeat, addslashes() is not correct in the example given.