on 28/11/02 9:22 AM, Evan Nemerson ([EMAIL PROTECTED]) wrote: > I'm not worried about them using the query string for malicious purposes- I > have register_globals off... I'm worried about someone messing with their > cookie and sedding authorized to true- that _will_ change my $_SESSION > variable, unless I can find some way to ignore cookies, which brings us back > to my original question- how do i ignore all client input, _especially_ > cookies???
Turn register globals off (as you have). Then NEVER pull any data out of the $_COOKIES array, and you're now "ignoring" cookies :) Perhaps a further step is to call something like unset($_COOKIES) at the top of every script... but I'm not sure how unset() works with the super global arrays. Justin French -------------------- http://Indent.com.au Web Development & Graphic Design -------------------- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
