Hi all, On Tue, Jan 26, 2016 at 4:01 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Since the function only allows chars used by ID, I would like to add "_" a > valid char. "_" should be very safe char.
I think about possible attack/misuse scenario a little more and come up with following. "_" is wild card char of SQL's LIKE query. Although, it should be rare to use session ID string for LIKE query, one may do SELECT * FROM my_sess_table WHERE sess_id LIKE '$id'; where $id is '______________________'. This may allow to fetch all session IDs in DB. Users will likely write such query with prefixed session ID, so I don't think allowing "_" is not good idea after all. I'll keep as it is now, but if you have good option. Please let me know. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
