TalkPHP - Do I have to clean session id?

TalkPHP (http://www.talkphp.com/forums.php)

- General (http://www.talkphp.com/general/)

- - Do I have to clean session id? (http://www.talkphp.com/general/4179-do-i-have-clean-session-id.html)

Sam Granger

04-22-2009 11:42 PM

Do I have to clean session id?

Quick question here.

@session_start();
$session = session_id();

Would I have to clean $session before inserting into DB? Is there any way someone can change there browsers session into harmful SQL injection code?

Enfernikus

04-23-2009 12:44 AM

?phpsessionid=\' Or 1=1

In short, you should.

Every ounce of data that a user may imaginably be able to edit or construe somehow should be cleaned.

Kalle

04-23-2009 01:12 AM

Session ID's cannot be changed, if one changes the session id php will behind the scenes generate a new ID and the old session would be lost unless the user changes back the ID before the session is killed.

Wildhoney

04-23-2009 05:04 PM

And I think if you try to enter characters into a session ID that aren't valid, PHP will give you a blank session ID, or generate a new one. I just remember from a while ago that when I attempted to create my own session ID in my PHP script, I couldn't enter any values outside of the hexadecimal range because I hadn't change the session ID character type.

All times are GMT. The time now is 10:52 PM.