Re: Form Problem.

[Thanos Chatziathanassiou]

Well, the previous post pretty much posed an interesting question.. 
Since you're going to verify everything yet again, as the user is moving 
to purchase, what's the problem with a bad guy playing around with the 
form a bit ?
Anyways, here we go...

KUNAL PAREKH wrote:

If I make a session variable like this:
$Session->{SomethingRandom} =
"Qty_$itemCode=2&Qty_$itemCode=3......"
That could work. However can this session variable be
made on the same page as "products.asp" as soon as the
form "Submit" button is clicked? If yes please let me
know how.
Actually, I was thinking more in the sense of:
--snip products.asp--
<%
   $Session->{'random'} =  time();
%>
<form action="verify.asp"......
--snip products.asp--
--snip verify.asp--
<%
   if ($Session->{'random'} < (time()-7200) ) { # $Session->{'random'} 
has not been set in the last 2 hours....
      die "Bad boy!!!\n";
   }
....
%>
--snip verify.asp--

b) check the HTTP_REFERER and reject if it's not the
one You're 
expecting (the page the form is in)
   

I will have to read more about this. I am not familiar
with this method.
Something like :
--snip verify.asp--
<%
   if ($Request->ServerVariables('HTTP_REFERER') !~ /products\.asp/) { 
# HTTP_REFERER SHOULD point to the page where the user was selecting 
products
      die "Bad boy!!!\n";
   }
....
%>
--snip verify.asp--

c) using POST instead of GET, so as not to worry
about the amount of 
user input (and making it a little more complicated
to ``fabricate'' a 
request by hand).
   

The problem with POST and GET method is I will have to
name each form variable. This is not possible in my
case as I am naming the variables as "Qty_$itemCode"
where $itemCode comes from the "products" database and
I expect it to change very often. I think I understood
right what you were saying however if I missed the
point let me know.
I didn't realize the You're parsing the QueryString by hand..
You can, of course do the same with POST, just look for $Request->Form 
(reference to a hash - see Apache::ASP site for details)  and iterate 
over the keys.
Or even (OK, I know I'm pushing things a bit, but), if you don't feel 
comfortable wit that...
how about creating a hidden form element, where you just name the fields 
you should be collecting, something like
<input type="hidden" name="index" value="Qty_$itemCode">

d) obfuscating the form input, so as not to make it
so obvious.
   

No. There is no limitation of obfuscation. There is
always a possiblity of someone outsmarting you.
Fair enough...

Regards,
Thanos Chatziathanassiou


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]