a) setting something completely random in the $Session object in the form's page and checking for its existence in the verify.asp. If it isn't there, reject the data.
b) check the HTTP_REFERER and reject if it's not the one You're expecting (the page the form is in)
c) using POST instead of GET, so as not to worry about the amount of user input (and making it a little more complicated to ``fabricate'' a request by hand).
d) obfuscating the form input, so as not to make it so obvious.
e) accepting form input only from trusted sources (ie registered and/or authenticated users).
f) IP address restriction (kinda like defeats the purpose of the web, don't it ?)
g) any combination of the above.
A sufficiently motivated ``bad guy'' will most definately find ways to overcome all the above methods, especially if it's worth the trouble. YMMV.
That's all I can think of right now. I'm sure others will contribute their favourite methods too. Maybe we can compile an exhaustive list of those (should we?).
Regards, Thanos Chatziathanassiou
pkunal wrote:
All,
The situation is this.
On my web page "products.asp" I am displaying all the products from my database and allow the user to select the quantity he wants to buy.
So to make it short:
"$itemCode" comes after a query to the database for each item in database. The form looks like this:
<form action="/asp/verify.asp"> <select name="Qty_<%=$itemCode%>"> <option selected>0</option> <option>1</option> <option>2</option> <option>3</option> </select> <input type="submit" name="SUBMIT"> </form>
So the quantity is passed to "verify.asp" through the querystring and looks like this:
http://....../verify.asp?Qty_1=1&Qty_2=3....
The query string gets long depending on the number of products I have. Then I again retrieve the "itemcode" and its selected "quantity" on the "verify.asp" page using "$Request-
QueryString()" object.
I am not happy with this solution. As it makes the website vulnerable as a user can input anything in the querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....";.
Please suggest a good way to do this.
Thanks, Kunal Parekh.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
