--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> It's obviously best practice to rigorously check and validate all input
> coming via $_GET or $_POST, but what about $_SESSION values?
Session data can be considered safe, but there are of course caveats. It
is not possible for the user to manipulate session data at all, whereas
GET, POST, and cookie data comes directly from the user. That is the major
difference. Of course, if you blindly store client data in a session, you
now have tainted session data. So, it all depends on your application.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
