Editing Cookies

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Ambush Commander wrote:Telnet is only necessary when you need fine grained controls over exactly what headers are sent.
I wasn't only talking about cookies, I was talking about the http request itself, and or anything in it. What if someone was inserting $_SERVER['HTTP_REFERER'] into a database, and forgot to escape it? Some programs for simulating headers require a valid URL there, what if an attacker formed an http request with data that needed escaping? There are countless things that should be treated as untrusted input, the http request included.
Post Reply