John W. Holmes <mailto:[EMAIL PROTECTED]>
on Thursday, March 18, 2004 7:11 PM said:
> Shane McBride wrote:
>> Actually all form validation is done before the form action takes
>> place, so that way we do not loose input.
>
> I think you're missing the point. Client side validation is extremely
> easy to bypass. If that's all you're relying on, you're in trouble.
exactly, but i would like to elaborate on this a little by explaining
how it can be bypassed.
if your form is being sent via GET then it's trivial to fudge with the
values in the querystring. therefore if i were to actually mount an
attack i would do the following.
1. fill out the form correctly so that it is submitted.
2. copy the querystring that is created and determine what i want to
change.
3. come back to the site and, this time instead of filling out the form,
i'm going to paste my fudged querystring directly into the address bar.
i've just circumvented your client side validation.
if your form is being sent via POST then it's a little less trivial, but
any web savvy person let alone someone that knows how to attack a
website is not going to be hindered by the increased difficulty in you
using POST.
1. i'll go to the page with your form on it.
2. duplicate your form on my own server without the javascript that
performs the validation.
3. submit the form that resides on my own server.
again i've just circumvented your client side validation.
of course these are very basic examples but i think they work to
illustrate our point.
question for chris shiflett,
i haven't mentioned anything about how to prevent this except to say you
shouldn't rely solely on client side validation. is this topic going to
be brought up in your book? if not (if it hasn't already gone to press)
maybe it should?
question for everyone,
do you think it's a good idea to check the referrer on the second page
or is that unneccessary?
<?php
if(referrer == "somewhere_i'm_expecting")
{
// process
}
else
{
// don't process
}
?>
chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
