Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When a user goes to my site, my script checks for 2 cookies which store the user id + part of the password, to automatically log them in.
It’s possible to edit the contents of cookies via a cookie editor, so I guess it’s possible to add some malicious content to a written cookie?
Should I add mysql_real_escape_string (or something else) to all my cookie calls or is there some kind of built in procedure that will not allow this to happen?
What you really need to do is not send these cookie values that are hackable in the first place. Instead, why not hash the username and password and a (secret) salt and set that as the cookie value? i.e.:
Then you know the cookie value is always going to be a 40-character hexidecimal string, and can compare the value the user sends back with whatever’s in the database to decide whether they’re valid or not:
mysql_real_escape_stringmakes an additional hit to the database, BTW (a lot of people don’t realize it requires a DB connection and queries MySQL).The best way to do what you want if you can’t change your app and insist on using hackable cookie values is to use prepared statements with bound parameters.