CPT John W. Holmes wrote:
This is no good unless you're saving the value server side somewhere. With
this method, I can still post to your page from anywhere, so long as I set
the two variables the same.
Who cares if the data came from your page, just validate it!
No matter what you do, it can be
---John W. Holmes...
PHP Architect - A monthly magazine for PHP Professionals. Get your copy
today. http://www.phparch.com/
> -Original Message-
> From: Dennis Cole [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 12, 2003 8:54 PM
> To: CPT John W. Holmes
> Subject: RE: [PHP]
> If you are really that strict about it coming from you site, have your
form
> page create an image with five letter of number on it - like 4Y6O7. Have
it
> create a new one each time. Then use crypt to encrypt it and put the
> encrypted one into a form value, have the person that is submitting th
:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:43 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
Importance: Low
[EMAIL PROTECTED] wrote:
> Swear filtering is easy, I want to know how to make sure the data is
> coming from MY formI'm just pick
[EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY formI'm just picky like that. :-)
Hi,
I've done it via a "ticket" system
- into my form I've added field
- store the ticket number in database (optionally) with TimeToLive
- when POS
PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, March 12, 2003 9:02 AM
Subject: RE: [PHP] Hacker problem
> So we aren't actually validating "where" the data is coming from, we
> are just validating the data?
>
> -Original Message-
> From: Lei
Thanks! That's all I needed to know.
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's just not possible.
[EMAIL PROTECTED] wrot
EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
if(stristr($text,'badword') or stristr($text,'badword2') or
strlen($text) > maxlength){
die('Invalid!');
}
[EMAIL PROTECTED] wrote:
So how could you validate it server-side?
-Original Message-
From: Leif K-B
PROTECTED]
Sent: Wednesday, March 12, 2003 8:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
bei
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted into the database?
On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote:
How would one go about doing t
So we aren't actually validating "where" the data is coming from, we
are just validating the data?
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hack
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
http
headers. Your only way of making sure is to create a serversid
nesday, March 12, 2003 8:41 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's can still easily be spoofed. The only safe way is to validate
the form server-side.
[EMAIL PROTECTED] wrote:
Yes, theoretically...you could require it to be posted data. In or
n Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and
How would one go about doing this?
-Original Message-
From: Dan Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet
en you
> could use the referrer along with this and it will only allow data from
> that specific form. Hope this helps!
>
> Brian Drexler
>
> -Original Message-
> From: Pag [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 12, 2003 8:35 AM
> To: [EMAIL PROTECTED]
>
that specific form. Hope this helps!
Brian Drexler
-Original Message-
From: Pag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simpl
esday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the
database. I do checks for insults, too long words, tags, etc
You're checking with javascript, correct? If so, try checking
server-side too.
Pag wrote:
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the database. I do checks for insults, too long words, tags,
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds lines to the
database. I do checks for insults, too long words, tags, etc, but its still
possible to circumvent those checks by adding the data on the url instead
of us
20 matches
Mail list logo
