I am not a cyber attack specialist and I have a small question about the safety of my projects. Basically one of the ways I'm warned of SQL injections is by creating a " treatString () " function, for example, and all data coming in externally I filter through Function. Beauty! It works ...!
I know that it's possible to manipulate a browser's COOKIES in a malicious way so that when the application uses $ _COOKIES , the injection happens. So also filter them through the above function.
The question is ... are the variables of SESSION also possible to manipulate maliciously? Should I be safe with them too? Is it possible to manipulate them externally, just like the COOKIES ?
If yes, I'm screwed. For all the projects that I created, I did not foresee the injection via SESSION and the first ones I did and did not use PDO to connect to the bank. And worse, I remember working directly with the session variables in the SQL statements.
Thank you for your support. Hugs !!