On Tue, 2008-09-02 at 16:22 -0500, Micah Gersten wrote: > If one does not know where the session data is, one cannot inject code > to expose it.
PHP knows where the session data is, the very function you gave provides the path to it also. If you've got code injection then you've got someone who can probably read the return value of session_save_path(). Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
