CPT John W. Holmes wrote:
This is no good unless you're saving the value server side somewhere. With
this method, I can still post to your page from anywhere, so long as I set
the two variables the same.
Who cares if the data came from your page, just validate it!
No matter what you do, it can be
---John W. Holmes...
PHP Architect - A monthly magazine for PHP Professionals. Get your copy
today. http://www.phparch.com/
> -Original Message-
> From: Dennis Cole [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 12, 2003 8:54 PM
> To: CPT John W. Holmes
> Subject: RE: [PHP]
> If you are really that strict about it coming from you site, have your
form
> page create an image with five letter of number on it - like 4Y6O7. Have
it
> create a new one each time. Then use crypt to encrypt it and put the
> encrypted one into a form value, have the person that is submitting th
:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:43 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
Importance: Low
[EMAIL PROTECTED] wrote:
> Swear filtering is easy, I want to know how to make sure the data is
> coming from MY formI'm just pick
[EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY formI'm just picky like that. :-)
Hi,
I've done it via a "ticket" system
- into my form I've added field
- store the ticket number in database (optionally) with TimeToLive
- when POS
PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, March 12, 2003 9:02 AM
Subject: RE: [PHP] Hacker problem
> So we aren't actually validating "where" the data is coming from, we
> are just validating the data?
>
> -Original Message-
> From: Lei
Thanks! That's all I needed to know.
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's just not possible.
[EMAIL PROTECTED] wrot
EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
if(stristr($text,'badword') or stristr($text,'badword2') or
strlen($text) > maxlength){
die('Invalid!');
}
[EMAIL PROTECTED] wrote:
So how could you validate it server-side?
-Original Message-
From: Leif K-B
PROTECTED]
Sent: Wednesday, March 12, 2003 8:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
bei
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted into the database?
On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote:
How would one go about doing t
So we aren't actually validating "where" the data is coming from, we
are just validating the data?
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hack
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
http
headers. Your only way of making sure is to create a serversid
nesday, March 12, 2003 8:41 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's can still easily be spoofed. The only safe way is to validate
the form server-side.
[EMAIL PROTECTED] wrote:
Yes, theoretically...you could require it to be posted data. In or
n Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and
How would one go about doing this?
-Original Message-
From: Dan Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet
This could still be faked easily with a telnet session and some fake http
headers. Your only way of making sure is to create a serverside script
which filters the data.
> Yes, theoretically...you could require it to be posted data. In order
> to do this you would have to make sure "registered_glo
That's can still easily be spoofed. The only safe way is to validate
the form server-side.
[EMAIL PROTECTED] wrote:
Yes, theoretically...you could require it to be posted data. In order
to do this you would have to make sure "registered_globals" is set to
"off" in your php.ini and then for e
Yes, theoretically...you could require it to be posted data. In order
to do this you would have to make sure "registered_globals" is set to
"off" in your php.ini and then for each variable posted from your form
you will need to do something like this
$name=$_POST["name"];
This will only p
You're checking with javascript, correct? If so, try checking
server-side too.
Pag wrote:
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the database. I do checks for insults, too long words, tags,
19 matches
Mail list logo
