Question for Magic (or any other PHP programmer)

Post by **Magicfinger** » Mon Dec 12, 2005 7:35 pm

ok the no bullshit method

write to a cookie

setcookie("user", $username, time()+604800); /* Expires in a week */

read from a cookie

Code: Select all

$user = $HTTP_COOKIE_VARS["user"];

theseer · Post by **theseer** » Tue Dec 13, 2005 1:01 am

The un-clean horribly inefficient method by Seer

$user = "MonkeyLover";

$query = "SELECT * FROM `whatsisadatabase_user` WHERE username = '$user'";
$query2 = mysql_query($query); // and for error reporting the lazy mans way: " or die("Oh noes! An Error: " . mysql_error());
$monkeydroppings = mysql_fetch_array($query2);

setcookie('user','$monkeydroppings[password]',time() + 604800);

Post by **Magicfinger** » Tue Dec 13, 2005 12:45 pm

Just out of interest its not good practice to set passwords in a cookie

MSDN wrote: Use Cookies Securely
Cookies are an easy and useful way to keep user-specific information available. However, because cookies are sent to the browser's computer, they are vulnerable to spoofing or other malicious use. Follow these guidelines:

Do not store any critical information in cookies. For example, do not store a user's password in a cookie, even temporarily. As a rule, do not store any sensitive information in a cookie that. Instead, keep a reference in the cookie to a location on the server where the information is located.

Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible.

Consider encrypting information in cookies.

Consider setting the Secure and HttpOnly properties on your cookies to true.

also with Seers method ensure that the $username is gathered from a cookie read or a $_REQUEST['username'] else you are vulnerable to SQL insertion.