When a user logs in should I sanitize there logged in $_SESSION['user_id'] user id or not? for example, like in the following code below.
mysqli_real_escape_string($mysqli, htmlentities(strip_tags($_SESSION['user_id'])));
views:
23answers:
4
+2
A:
Session data is stored server-side, so it should be sanitized before being added to $_SESSION in the first place.
Ignacio Vazquez-Abrams
2010-07-28 20:02:05
So there is no need to sanitize the `$_SESSION` when I retrieve it from the database?
phps
2010-07-28 20:03:14
As long as you sanitized the data before putting it in the session, it's safe from that point forward.
Charles
2010-07-28 20:05:31
+1, plus something that _needs_ to be done: on logging you should regenerate a different session_id to avoid session fixation.
Wrikken
2010-07-28 21:00:30
A:
You have absolute control over what you put in $_SESSION, so there are some types of sanitation checks that should be done prior to put the the values in $_SESSION (e.g., did the user submit an array, is it longer than what's permitted, etc.).
However, of you're asking if you should escape the strings before passing them to the database, the answer is yes (a user name that's valid may or may not contain the character ', for instance). Better yet, use prepared statements if possible.
Artefacto
2010-07-28 20:04:58