Databases Reference
In-Depth Information
The
$_COOKIE
array contains cookie data provided by the user's browser.
Cookies
are
strings that are passed back and forth between the web server and browser to maintain
a unique key. They are useful for storing information on a user on the user's computer;
you can use the PHP
set_cookie( )
function to send a cookie to the user's browser.
Each subsequent time the user visits your site, his browser automatically provides the
cookie data. Cookies can be set to expire once the user closes their browser, at a later
date, or never. A good use for cookies is to remember what news articles users have
read and to show them new articles that they haven't read yet. Note that cookies should
never be used to store confidential information, as they are not secure. In addition, they
shouldn't be used to store information critical to your application, since users can move
among computers, or modify or delete cookies at any time. Cookies have been widely
abused by companies trying to track user web surfing and shopping habits, and so
informed users tend to treat them with suspicion and often block them. For these rea-
sons, we recommend you don't make extensive use of cookies, and we don't go into
details of cookies in this topic.
There's one more superglobal array that you should know about. The
$_SERVER
array
contains information on the server configuration and the currently executing script. In
this topic, we use one item from this array: the
$_SERVER["PHP_SELF"]
variable, which
contains the relative path from the document root to the currently executing script. For
output of the
phpinfo.php
page that you created in “Checking Whether Your Apache
Installation Supports PHP” in Chapter 2.
Untainting User Data
When you make scripts accessible from the Web, they are vulnerable to security prob-
lems caused by deliberate or accidental abuse from users all over the world. When your
scripts process input provided by users, you must be even more vigilant and validate
the data to ensure that it is in the format and size your scripts expect and must handle.
Let's look at three issues.
Limiting the Size and Type of Input Data
Many problems are caused by the system encountering data that it can't handle; for
example, a user may try to log in to the system with a login name that is longer than
the database can handle, resulting in unexpected behavior. An attacker may try to
overload your script with more data than it can handle and in this way cause something
to break. You should limit the amount of data that you accept and process. There are
server variables that you can configure to do this, but we won't look at those. Instead,
we'll look at how your script can reject excess data.
