Jump to content

Session Variables Security


Recommended Posts

I have never written an ap using $_SESSION variables before, so I need some advice regarding security.

 

I'm in the middle of writing a new ap for one of my sites that involves several functions to generate data. As it stands now, it looks like the best way to pass variables generated by one function to another might be to use session variables. In this ap, there is no user/password information and no sensitive data. The data being passed is simply used to control the flow of the logic, and to pass the result of db queries and calculations from one function to the next.

 

If I use session variables, what security measures should I implement for session variables? Should I filter/whitelist the session variables in the same manner that I would filter/whitelist post and get variables?

 

Thanks,

Bob

Link to post
Share on other sites

It's always best to sanitise anything which can affect (especially) mysql queries... What you could do is create a table with randomly generated unique hash's for each users IP address

 

So when someone first goes on your site, they get a unique hash assigned to their IP, stored in the DB....

 

then load this and their IP into the $_SESSION variable and check that those match the DB prior to executing anything based on the session variables, because it is possible to spoof session values...

 

plus checking values to make sure they are as expected... like intval( ) around anything that should only be an integer or mysql_real_escape_string() around anything that is a string

 

these sorts of things will secure it up a little more

Edited by OJB
Link to post
Share on other sites

OJB -- thanks for the response.

 

In some of the security info that I had read today about session variables, I had seen the recommendation to store session info, including a hashed user ip in a db table. Since in this application the only queries executed are select, I figured that there is little threat of spoofing and sql injection, and that just filtering the input would suffice. However, I think that I will try implementing the ip hash and verification method also, since it seems like a good security practice to learn and use, especially on a shared server.

 

Thanks again for the advice.

Link to post
Share on other sites
  • 1 month later...
Since in this application the only queries executed are select, I figured that there is little threat of spoofing and sql injection,

I had to register just to post this. If you have a textbox in a form that interacts with your database in any way, you must sanitize your inputs.

 

This includes select statements

 

EG, you have a simple search form that generates this query

select * from items where search_term='findme';

 

findme was entered into the search box.

 

How about I enter this into the search box

 

findme';drop table items;

 

the query now becomes

select * from items where search_term='findme';drop table items;

 

Bye bye table items and all asociated data.

 

sanitize your inputs. :)

Link to post
Share on other sites

binboing, Thanks for the advice. I do make a practice of sanitizing any user inputs.

 

In that particular case, what I meant to say in the post, but probably posted in a hurry, was that the only database user defined in that application has only select priveleges since that is the only query that the application executes -- hence my perception of there being less of a threat.

Link to post
Share on other sites
binboing, Thanks for the advice. I do make a practice of sanitizing any user inputs.

 

In that particular case, what I meant to say in the post, but probably posted in a hurry, was that the only database user defined in that application has only select priveleges since that is the only query that the application executes -- hence my perception of there being less of a threat.

 

Ah gotcha. Well I hope it helps someone :)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...