roadkillguy wrote:On my website, I have a whole bunch of general php functions in a file. Some of these functions have access to my database, and I'm rather paranoid that someone could simply call one of these functions. Can they? I have the folder it's contained in set to 'deny from all' in my apache server.
Also, is it possible for some hacker to dynamically write to the session data/post data/cookies on my site?
Thanks.
Nobody can call functions in a php file, unless they happen to be able to upload/execute PHP on your domain. If they
can do this, then the fact they can call those functions is probably the least of your worries. Even if they could access the php file directly (via url), it won't execute if its in functions unless the function is called.
It's possible for hackers to write to the POST data, and normal cookies. They can also edit the session ID. The data you store in the $_SESSION array is stored serverside though.
Personally, the only cookie I use is an encrypted ID. The ID is also stored in the database, and when they come to the site (and don't have an active session) the cookie ID and database ID are compared. If they match a new session is generated and populated with general information the site needs about the user, and the ID in both the cookie and database are updated.
All information like the users Username, Browser User Agent, etc are stored in the session.
You should never store any information that can be used to identify a user, or is used directly on your site in cookies or the Session ID (aka, usernames, passwords, private messages, etc). You should store a key which can be compared with one server side to determine that user is the same person. This way a malicious user couldn't pretend to be someone else (or would find it difficult).