On ÐÐÐ, 2005-05-08 at 23:16 +0200, Andy Pieters wrote: > Notes: > * just because it comes from SESSION doesn't mean that it cannot be spoofed. > That's why you should escape uname before including it in a query.
Is there something I do not know ? :). As far as I know, it can be spoofed only if you have access to session data, which is held on the server-side, so only someone with server access can spoof. Any other way of doing it ? Josip Dzolonga http://josip.dotgeek.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
