Be careful about hidden variables and form variables. A clever user can create a new form with custom edited fields and ACTION="yoursite.com"
For instance, if you keep a hidden variable: <INPUT TYPE=HIDDEN NAME='authorization_bool' VALUE='FALSE'> It's not very hard for a computer saavy person to create a new form where it says: <INPUT TYPE=HIDDEN NAME='authorization_bool' VALUE='TRUE'> And circumvent your authorization. -Dan On Fri, 2003-09-05 at 10:32, bob pilly wrote: > Hi all, i know this isnt strictly a php question but > thought you would be a good group to ask because of > your experience. > > Is there any security issues with passing data via the > POST method from a webserver to a different webserver > running ssl. For example: > > webserver1 > > <form name='form1' method='POST' > action='https://webserver2/login.php'> > <input type='hidden' value='lalala' name='data'> > </form> > and then just using <?$data=$_POST[data];?> on > webserver 2 to retrieve the data? > > Thanks for any help in advance. > > > > ________________________________________________________________________ > Want to chat instantly with your online friends? Get the FREE Yahoo! > Messenger http://mail.messenger.yahoo.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
