Big problem, somebody figured out how to change a cookie on my site using javascript. How did they do that. I have custom pages, could they have inserted the code there? I know the guy who did and I will ask him, but if I strip the code, will I still be 100% safe with non-ecrypted code that can only be edited from my site.

If you do not have the solution, I also need to know how to set a cookie in my base domain. Like set a cookie for my whole site from a folder. I doesn't want to work. Any ideas? I need this to fix the problem above if no one can help.

PLZ PLZ PLZ PLZ PLZ - THNX THNX THNX THNX THNX !!!!!

anyone can edit cookies. you must validate cookies in your script. one quick way is to md5 with the cookie value and a secret string.

As for editting a cookie, in the address bar of your site, simply enter: javascript: document.cookie='COOKIE_NAME=COOKIE_VALUE';

Would this fix it?


<?php

include ('mysql_connect.php');
$zidianusername = $_COOKIE['zidianusername'];
$zidianpassword = $_COOKIE['zidianpassword'];

$validateQuery = mysql_query("SELECT * FROM `members` WHERE `username`='$zidianusername' AND `password`='$zidianpassword'");
$validateData = mysql_num_rows($validateQuery);

if ($validate<1) {
setcookie('zidianusername', 0);
setcookie('zidianpassword', 0);
setcookie('zidianloggedin', 0);
setcookie('zidianmemory', 0);
die("<center><font size=1 face=arial>Attempted injection, user logged out.</font></center>");
}

?>

For that to work, however, I need to know how to set cookies for my whole site from any folder. I tried that patch, but in any other folder, it created a whole new source.

Ex:

When I set it in the index the cookie's base is '/' and it can be read from any folder.

However, when I run the same script in a folder like 'beta_forums', the cookie's base is '/beta_forums/' and can only be read from files in that folder.

Any geniuses that can help me... plz... =(

I need to know how to set cookies for my whole site from any folder. I tried, but in any other folder, it created a whole new source.

Ex:

When I set it in the index the cookie's base is '/' and it can be read from any folder.

However, when I run the same script in a folder like 'beta_forums', the cookie's base is '/beta_forums/' and can only be read from files in that folder.

Any geniuses that can help me... plz... =(

No one answers my question fully, help~~~!

you just set a cookie with path=/

If your using php read here
http://www.php.net/manual/en/function.setcookie.php

Never put php variables into a sql query without going through mysql_escape_string()

Because if someone enters a username like '; DROP DATABASE; ' or similar thing, they can mess with your database.

if ($validate<1) {
should be
if ($validateData<1) {

Could you give me an example, because I already read that and it doesn't work : (

i merged your threads together, there is no reason for you to create a new thread about the exact same thing.