Re: Crumbling Cookies, Passed Page Values, and File Handling

You can use a variable as the second argument to open; the variable will be stringified and treated as a filename.

As for what you save in cookies, it's always best to store as little as possible to prevent problems with data loss. Basically, you should create a sessionID that is a hash of several factors (you don't want to use just IP alone, for example), and set that as the only item in the cookie. Use a database for tracking the current order session, and make sure to include code that will invalid that sessionID after a long enough time that a user will no longer be shopping on your site (30 minutes is the lowest you'd want to go with this).

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important

Comment on Re: Crumbling Cookies, Passed Page Values, and File Handling

Replies are listed 'Best First'.
Re: Re: Crumbling Cookies, Passed Page Values, and File Handling by kwoff (Friar) on Oct 28, 2001 at 04:31 UTC
I ditto Masem's answer (glad I hit Refresh before replying :). I think you really should use a database for this. Whatever you do, don't have the CGI params determine what the filename is... I've been able to use shopping cart scripts to look at arbitrary files on their system including /etc/passwd and the script itself by using a URL like `http://foo.com/cgi-bin/cart.pl?....&FILE=../../../cgi-bin/cart.pl` [download] basically getting arbitrary information from their system. (I let them know through a throw-away hotmail account and surfed the site through safeweb.com -- be careful when telling people you were probing their shopping cart) Like Masem said avoid putting information into a cookie, another reason being so that people can't set their prices arbitrarily. If you're processing orders "in house", then you might be more likely to overlook that somebody gave themself a rebate. Anyway, if you can avoid cookies, you should try to.	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Crumbling Cookies, Passed Page Values, and File Handling
by kwoff (Friar) on Oct 28, 2001 at 04:31 UTC

I ditto Masem's answer (glad I hit Refresh before replying :).

I think you really should use a database for this. Whatever you do, don't have the CGI params determine what the filename is... I've been able to use shopping cart scripts to look at arbitrary files on their system including /etc/passwd and the script itself by using a URL like

http://foo.com/cgi-bin/cart.pl?....&FILE=../../../cgi-bin/cart.pl
[download]

basically getting arbitrary information from their system. (I let them know through a throw-away hotmail account and surfed the site through safeweb.com -- be careful when telling people you were probing their shopping cart)

Like Masem said avoid putting information into a cookie, another reason being so that people can't set their prices arbitrarily. If you're processing orders "in house", then you might be more likely to overlook that somebody gave themself a rebate. Anyway, if you can avoid cookies, you should try to.

[reply]
[d/l]