Allowing user input in $_SESSION

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Allowing user input in $_SESSION

Post by Chalks »

The way my script is currently set up (I'm still developing it, so it's not live or anything), a user could put pretty much _any_ string into a $_SESSION variable. It would never be evaulated beyond this:

Code: Select all

<html>
  <body>
    <form>
      <input name="whatever" type="text" value="<?php if(isset($_SESSION['unsecured'])) echo $_SESSION['unsecured']; ?>">
    </form>
  </body>
</html>
I don't _think_ that creates a security hole, but I'm not sure. Does it? If so, how?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

As a rule of thumb, all output should have htmlentities() applied to it to avoid XSS injection

Code: Select all

<input name="whatever" type="text" value="<?php if(isset($_SESSION['unsecured'])) echo htmlentities($_SESSION['unsecured']); ?>">
Moved to PHP-Security.
Post Reply