Hi there, http://uk2.php.net/setcookie
suggests that for security, implode (correction of explode) should be
used instead of serialize. Does anyone know why?
I don't need to implement this, I just feel I need to know, for a
course I'm studying.
Cheers
Jody 4  5100  jo**********@gmail.com said the following on 29/12/2005 00:44: Hi there,
http://uk2.php.net/setcookie
suggests that for security, implode (correction of explode) should be
used instead of serialize. Does anyone know why?
I don't need to implement this, I just feel I need to know, for a
course I'm studying.
Dunno, but if you have enough data stored in a cookie for
implode()/serialize() etc. to be necessary, then you're probably better
off storing it all server-side, either in a DB or a file, and storing
just a UID in the cookie (like how sessions work).
Storing whole objects/data structures client-side is just asking for
trouble.
--
Oli
Unserialize() in some versions of PHP suffers from a buffer overrun
vulnerability. That's one reason.
Another is that it's easy to write type-dependent code that compromises
security. A while back a vulnerability was discovered in a popular
message forum software--phpBB I believe--that allowed an attacker to
gain administrative access by simply tinkering with the serialized data
inside the cookie. Somewhere in the code there was a string comparison
that goes like:
if($user->password == $admin_password) {
}
The comparison would occur as expected if $user->password is a string.
If $user->password is the integer 0, on the other hand, something very
strange and bad happen. The value supplied would match nearly all
possible passwords, because PHP's type conversion rules dictate that in
a comparison between an integer and a string, the string would get
converted to an integer first--with the number 0 being the likeliest
outcome.
Oli Filth wrote: jo**********@gmail.com said the following on 29/12/2005 00:44:
http://uk2.php.net/setcookie
suggests that for security, implode (correction of explode) should be
used instead of serialize. Does anyone know why?
Dunno, but if you have enough data stored in a cookie for
implode()/serialize() etc. to be necessary, then you're probably better
off storing it all server-side, either in a DB or a file, and storing
just a UID in the cookie (like how sessions work).
Storing whole objects/data structures client-side is just asking for
trouble.
Agreed. There may be times where storing a bit of data in a cookie is
quite tempting, but you should keep as much of the data on the server
rather than on a user's computer. Rule #1 in programming: Never trust
the user.
--
Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Ralph Freshour |
last post by:
I wrote a small .php script that creates a cookie on my local PC - I
also wrote one that deletes it.
My question is this: when the cookie has been created and I run the
delete .php script, when...
|
by: Dynamo |
last post by:
Hello again
Need some help inserting data into a table using an array.
This works:
$col1 = 2;
$col2 = 2;
$col3 = 2;
$col4 = 2;
$query = "INSERT INTO test (a,b,c,d) VALUES...
|
by: richbl |
last post by:
Hello all,
I have a question about unserializing a single array element from a
serialized array. Can this be done, or must I first unserialize the
array, and then access the element?
For...
|
by: Harry Haller |
last post by:
Why does the following work:
// (1) Set new cookies
setcookie ("font_type", $type_sel, time()+3600);
setcookie ("font_size", $size_sel, time()+3600);
// (1) Get most recent cookie
$font_type =...
|
by: MrL8Knight |
last post by:
Hello,
I am trying to build a simple php form based shopping cart using a cookie with arrays. I need to use 1 cookie because each order will have over 20 items. With that said, I realize I need to...
|
by: Bruno |
last post by:
I have a feature that is hosted on a different domain from the primary one
in a frame, and need to retain values in a cookie.
example: A web page at one.com contains a frame which has a page...
|
by: windandwaves |
last post by:
Hi Folk
On one of my sites, I have a reather involved page (searchable map).
When the person leaves the page then all the AJAX generated
information is lost. Is there a way that I can retain...
|
by: suma |
last post by:
hi all...
i have array and iwant this array to other page in URL
let the name of array is numbers and i fill this array by loop from
data base
when i write this ..
echo "<META...
|
by: mab464 |
last post by:
I have this code on my WAMP server running on my XP machine
if ( isset( $_POST ) )
{
for($i=0; $i<count($_POST);$i++)
{
if ($ans != NULL )
$ans .= ", " . $_POST ; // Not the first...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
