Mysql real escape string and cookies

Question

Mysql real escape string and cookies

Is there any reason this is bad form? The only user input on the page is

// Set username and password from cookies $username = mysql_real_escape_string($_COOKIE["username"]); $password = mysql_real_escape_string($_COOKIE['password']);

I am REALLY new to the idea of disinfection. Is there any reason this is a terrible way to do something?

0

sql php mysql mysql-real-escape-string sanitization

user187680 Jul 02 '12 at 21:04

source share

1 answer

Nikola K. · Answer 1 · 2012-07-02T21:05:50+0000

NEVER, NEVER store user data in cookies!

Here is what I suggest:

save user id in cookie
create a special token and hash + salt and save them in cookies.
store everything in the database
receive data from cookies at each page load and look for them in the database
if not found, then log out
change token at every page load

Mysql real escape string and cookies

More articles: