Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Jan 2010
    Posts
    101
    Thanks
    17
    Thanked 5 Times in 5 Posts

    Is session_id() secure?

    I'm using the session_id() method to directly (that is, without sanitation) input the resulting id into a MySQL database. Assuming I've done everything right (the user is not able to change the cookie through the URL, for example), is it still possible to inject some sort of malicious SQL into this ID? Or is it completely free from user modification?

    For example, if a user were to modify his cookie to be a SQL injection, would I run into a problem?

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,346
    Thanks
    60
    Thanked 527 Times in 514 Posts
    If a user modified their cookie and you're using this id in a SQL query then of course its dangerous. It's still potentially dangerous SQL and it will be just like any other string.

    Sanitise it. Job done. It's only one function at a minimum so why is this a big issue?
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #3
    Regular Coder
    Join Date
    Jan 2010
    Posts
    101
    Thanks
    17
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by tangoforce View Post
    If a user modified their cookie and you're using this id in a SQL query then of course its dangerous. It's still potentially dangerous SQL and it will be just like any other string.

    Sanitise it. Job done. It's only one function at a minimum so why is this a big issue?
    It's not a big issue, however I wanted to make sure I understood the functional use of session_id and who has access to modifying it.

    Hah, I actually forgot I have a whole sanitation/validation function already programmed, and I'm using it! It just looks like the session_id function is being inputted directly, but the sanitation runs before any other part of script, so it's fine.

    Thanks for the reassurance.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •