mysql real escape string and Cookies

Question

Is there any reason this is bad form? The only user input data on the page is

// Set username and password from cookies
    $username = mysql_real_escape_string($_COOKIE["username"]);
    $password = mysql_real_escape_string($_COOKIE['password']);

I am REALLY new to the idea of sanitizing. Is there any reason this is a terrible way of doing things?

Why do you feel using cookies in this context? You must not. — Lion, Jul 02 '12 at 21:09
check this http://stackoverflow.com/questions/8992415/are-cookies-a-security-risk — NullPoiиteя, Jul 02 '12 at 21:23
I think that you are getting very confused about when to use Cookies and when to use Session variables. May read this http://www.w3schools.com/php/php_sessions.asp — Rob Forrest, Jul 02 '12 at 23:32

Nikola K. · Answer 1 · 2012-09-22T15:01:34.947

1

NEVER, EVER store users' data in cookies!

Here's what I suggest:

store user's ID in cookie
generate special token and hash+salt and store them in cookies
store everything in database
get data from cookies on every page load and try searching for them in database
if not found, then logout a user
change token on every page load

edited Sep 22 '12 at 15:01

answered Jul 02 '12 at 21:05

Nikola K.

7,093
13
31
39

Can you explain to me what the issue is. Storing the user's ID in the cookie is half of what im doing... the other half is storing a hashed version of their password? Based on Lokesh's answer I think it might be better to use "base64" rather than hash... other than that whats the issue? – user187680 Jul 02 '12 at 21:17
1

+1 One additional suggestion: Dump the `mysql_*` functions and switch to `PDO` or `mysqli` for database handling. – jeroen Jul 02 '12 at 21:18
lol, @jeroen That was originally what i was asking, if it was okay to use mysql... But clearly i need to resolve this cookies are illegal thing first. – user187680 Jul 02 '12 at 21:19
@user187680 don't store plain-text (or encrypted...) passwords anywhere, not on your server on not on the visitors computer. – jeroen Jul 02 '12 at 21:21
@jeroen now im really lost. If I don't have a hashed version of their pass on my server (in my sql database) how can i verify? – user187680 Jul 02 '12 at 21:22
@user187680 Hashed is not the same as encrypted. Hashed (+salted) versions is exactly what you should store if you need to store them. – jeroen Jul 02 '12 at 21:23
@user187680 I hope this will help: [PHP Secure Login Tips and Tricks](http://hungred.com/useful-information/php-secure-login-tips-and-tricks/) – Nikola K. Jul 02 '12 at 21:25

mysql real escape string and Cookies

1 Answers1

Linked