Thu March 7

Questions about anything? Are you clear about the upcoming assignment?

Some security issues

• cross-site scripting
  • shannon - comments (I'm not going to leave this up ...)
  • What bad things that could be done?
  • The fix : something like htmlspecialchars
• sql injection
  • php sqlite bind
  • php sqlite escape
• of course there is a long list of many more issues.

(Security is a huge topic - this just scratches the surface of a few things related to the back-end-php-forms that we're doing now. But for a lot of the web stuff, one good way to understand the details is to read about how it can be broken ...)

Some php tricks

• passwords
  • php - passwords
• cookies
  • php - cookie
• phpinfo ...
• $_REQUEST ... form data & cookies
• $_SERVER ... IP address etc

sessions

PHP has some built-in session stuff ... but you may want to do this yourself explicitly with a cookie - at least as a learning experience.

There are several different approaches to what to put into the cookie in order to extract some persistent data that can be used to keep track of someone visiting your site.

• MDN: http dialog
• MDN: cookies
• OWASP: session management

Note that being logged in is not the same as have a session ...

Why (or why not) shouldn't you just use PHP's $SERVER['REMOTE_ADDR'] for sessions?

What does it mean to say that "HTTP is a stateless protocol ..." ?

How (where and what) should you store the information that a user is logged in?