Storing user entered data in the session
Storing user entered data in the session
am 16.02.2010 15:07:29 von MIke Alaimo
Can anyone guide me here? I have the desire to store user entered
data into the session. I am regexing it to be only a-zA-z0-9 and a
space. The data is stored in an object and then serialized before
storing it into the session. Does anyone see any potential security
risks here?
Thanks,
Mike
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Storing user entered data in the session
am 16.02.2010 15:29:42 von Ashley Sheridan
--=-wTlhff449k/ij7q7m9T9
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
> Can anyone guide me here? I have the desire to store user entered
> data into the session. I am regexing it to be only a-zA-z0-9 and a
> space. The data is stored in an object and then serialized before
> storing it into the session. Does anyone see any potential security
> risks here?
>
> Thanks,
>
> Mike
>
I think you're fine, I can't see any problems. I think most of the time
you have to worry when you're actually doing something with the data,
like inserting it into a file or database, or outputting it to a screen,
as these are the times that injections can take place.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--=-wTlhff449k/ij7q7m9T9--
Re: Storing user entered data in the session
am 16.02.2010 15:36:19 von MIke Alaimo
--0016e6d976703a4689047fb8a80e
Content-Type: text/plain; charset=ISO-8859-1
The data is displayed on the screen, and the user can change it as many
times as they want.
What do you think now Ash?
Mike
On Tue, Feb 16, 2010 at 9:29 AM, Ashley Sheridan
wrote:
> On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
>
> Can anyone guide me here? I have the desire to store user entered
> data into the session. I am regexing it to be only a-zA-z0-9 and a
> space. The data is stored in an object and then serialized before
> storing it into the session. Does anyone see any potential security
> risks here?
>
> Thanks,
>
> Mike
>
>
>
> I think you're fine, I can't see any problems. I think most of the time you
> have to worry when you're actually doing something with the data, like
> inserting it into a file or database, or outputting it to a screen, as these
> are the times that injections can take place.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
--0016e6d976703a4689047fb8a80e--
Re: Storing user entered data in the session
am 16.02.2010 15:37:33 von Ashley Sheridan
--=-0Ar3u+iD5sTszlZRFbrW
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Tue, 2010-02-16 at 09:36 -0500, Mike Alaimo wrote:
> The data is displayed on the screen, and the user can change it as many
> times as they want.
> What do you think now Ash?
>
>
> Mike
>
> On Tue, Feb 16, 2010 at 9:29 AM, Ashley Sheridan
> wrote:
>
> > On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
> >
> > Can anyone guide me here? I have the desire to store user entered
> > data into the session. I am regexing it to be only a-zA-z0-9 and a
> > space. The data is stored in an object and then serialized before
> > storing it into the session. Does anyone see any potential security
> > risks here?
> >
> > Thanks,
> >
> > Mike
> >
> >
> >
> > I think you're fine, I can't see any problems. I think most of the time you
> > have to worry when you're actually doing something with the data, like
> > inserting it into a file or database, or outputting it to a screen, as these
> > are the times that injections can take place.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
Well, if it's only alpha-numerica data with spaces, I don't see any
problems still. Anything input from the user that gets output to the
screen should be carefully parsed to ensure that any HTML it contains is
either removed or escaped to make it safe.
Data stored in a database should be filtered out to make sure that the
user isn't shoving in their own queries, otherwise you'll end up with
situations like this: http://xkcd.com/327/
Thanks,
Ash
http://www.ashleysheridan.co.uk
--=-0Ar3u+iD5sTszlZRFbrW--