问题
Is there any reason this is bad form? The only user input data on the page is
// Set username and password from cookies
$username = mysql_real_escape_string($_COOKIE["username"]);
$password = mysql_real_escape_string($_COOKIE['password']);
I am REALLY new to the idea of sanitizing. Is there any reason this is a terrible way of doing things?
回答1:
NEVER, EVER store users' data in cookies!
Here's what I suggest:
- store user's ID in cookie
- generate special token and hash+salt and store them in cookies
- store everything in database
- get data from cookies on every page load and try searching for them in database
- if not found, then logout a user
- change token on every page load
来源:https://stackoverflow.com/questions/11301153/mysql-real-escape-string-and-cookies