Script security question
Posted: Mon Feb 12, 2007 2:28 am
<sinatra>This is my first post here. Please be kind.</sinatra>
Don't have code yet - still working on conept.
I'm designing a site for a low vision specialist. I'm hoping to call the site template through a server-side include. Pretty simple.
I'm also thinking of creating a set of clickable controls that allow the user to customize the appearance of the site, and have that information stored in a cookie on the user's machine. The user basically creates his/her own custom stylesheet for that particular site.
When the page loads, the script looks for the cookie. If it's found, the script displays the page according to the style information specified - otherwise, it just displays the page as originally designed.
The problem is that this sort of script seems to beg to be exploited. You don't even have to know much about hacking PhP to create a pretty nasty little surprise for anyone visiting that site. The session cookie itself would give away exactly how the script worked. I haven't even written the script yet, and I already see a lot of problems with it.
Any thoughts on creating this script in a secure fashion? I'd love to avoid horrifying the elderly and legally blind if possible.
Don't have code yet - still working on conept.
I'm designing a site for a low vision specialist. I'm hoping to call the site template through a server-side include. Pretty simple.
I'm also thinking of creating a set of clickable controls that allow the user to customize the appearance of the site, and have that information stored in a cookie on the user's machine. The user basically creates his/her own custom stylesheet for that particular site.
When the page loads, the script looks for the cookie. If it's found, the script displays the page according to the style information specified - otherwise, it just displays the page as originally designed.
The problem is that this sort of script seems to beg to be exploited. You don't even have to know much about hacking PhP to create a pretty nasty little surprise for anyone visiting that site. The session cookie itself would give away exactly how the script worked. I haven't even written the script yet, and I already see a lot of problems with it.
Any thoughts on creating this script in a secure fashion? I'd love to avoid horrifying the elderly and legally blind if possible.