I guess if you even want to go crazy overboard with security, you could set a cookie on your form page, and check for it's existance on the processing end. Or randomly generate an image with a number on the form page, and have the user input that number.
1LT John W. Holmes wrote:
HTTP_REFERRER can be spoofed, so don't rely on it for much. ---John Holmes...----- Original Message ----- From: "John Nichel" <[EMAIL PROTECTED]> To: "Paul Nicholson" <[EMAIL PROTECTED]> Cc: "Johnson, Kirk" <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]> Sent: Friday, October 25, 2002 2:07 PM Subject: Re: [PHP] extract($_POST)And if you want to take it a step further, to ensure that the values are submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if it's coming from your domain | page. Paul Nicholson wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote:And what should these precautions be? If a malicious user can submit his own form and you are looking for a POST variable, how can you ensure that $admin came from your form and not that user's?The problem is when a cracker uses form variables in an attempt to setthevalues of "flag" variables kept only in the session, for example,$isAdmin.As far as the form variables *you* put in your form, it doesn't matter whether the user submits your form or a form they made themselves. Those form variables are just data you are trying to collect. With register_globals on, PHP takes *all* variables (GET, POST, COOKIE) received from the client and assigns them to global variables. So if the user posts a value for $isAdmin, she can give herself admin privileges. The key is to retrieve *only* the form variables *you* put in the formfromthe the $_POST array. So don't write a loop and grab *everything* fromthatarray. KirkExactly! Not only should you retrieve *only* the vars you need fromPOST,you should also filter them to make sure they contain what you'relookingfor.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha' function....I created that as part of a filtering class. ~Paul - -- ~Paul Nicholson Design Specialist @ WebPower Design "The web....the way you want it!" [EMAIL PROTECTED] "It said uses Windows 98 or better, so I loaded Linux!" Registered Linux User #183202 using Register Linux System # 81891 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9uXoKDyXNIUN3+UQRAkugAJ0aftPjxhmV0tSk125UZSTCuWp47QCfaKJ7 z5+ja1P4NtWUwVMCMsFVt2M= =UG2o -----END PGP SIGNATURE------- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
