Best IT Recipes

Should $ _SESSION ['username'] be avoided before entering a SQL query?

I am wondering if anything from the $ _SESSION array needs to be escaped before using it in an SQL query.

Please note that I do not use cookies in my application, since I heard that they can be used to capture the session (?)

Thank you so much

+1
php mysql
May 18 '12 at
source share
5 answers

You need to avoid every row that you pass into the sql query, without prejudice to its origin.

Even if it is data that you extracted from your database.

+5
May 18 '12 at
source share

Assuming you have yet to identify exploits in PHP, everything should be escaped using prepared statements or mysql_real_escape_string before you allow anything to touch your database.

Data stored in $ _SESSION is not always clean. For multi-page forms, you can store user input in $ _SESSION until the last page when you write it all to the database. If you encounter any habit of thinking that $ _SESSION is "clean," you will end up in trouble.

You should absolutely get used to the fact that every piece of data in your system is dirty until you slip away from it. Please note: if you use dynamic table names, escaping will not help you. Never use table or column names in a query that has ever been near a user. Various shielding mechanisms do not escape the feedback signals. If you have a prepared request, say:

"SELECT * FROM `:aTable`;"

and aTable is a user, a user who enters something like

 ` WHERE id IN (DELETE FROM user);

potentially just deleted all your user entries.

+2
May 18 '12 at
source share

A $_SESSION variable is the same as $_GET if it is used incorrectly, so the answer to your question is yes, if your RAW user storage is entered into the session (which you should not do), then you would have to avoid it.

+1
May 18 '12 at
source share

Session variables are just like any other variables. The data there should appear from somewhere. if you directly store hosted variables there, then it basically looks like using a published variable.

The only difference is that the session variable is stored in different accesses, and this is related to it.

+1
May 18 '12 at
source share

One golden rule will never trust user input , unless you have data (i.e. your system), it should be considered "user input", and this certainly includes session data.

From the point of view of escaping session data for SQL, you can and should efficiently flush data for using sql, for example using mysql_real_escape_string (), but depending on what data is contained in the session, I would also check the session against what you expect it to must contain.

Not too sure what you mean regarding the cookie / session cookie comment, I suppose you mean that you only use a session to store data? In a typical session, php installations still use cookies exclusively as a pointer to a user session.

+1
May 18 '12 at 12:18
source share


More articles:


All Articles