Hello again everybody, My page: http://www.dockhawk.com/
I'm trying to implement some "session security" PHP script William mentioned above. Here, the tutorial is in the "Cross-site request forgery" section (pdf): http://daniel0.net/phpfreaks_tutorials/php_security/php_security.pdf I was trying to figure out if it was functioning by putting a value in the hidden input that won't be equal to the session token. The hidden input is in my default.html page inside the <div id="search_form">. So as the value is wrong the PHP should return "Invalid Token" but it's not. In earlier testing I had taken away the not "!" in the PHP and left the hidden input's value as "<?php echo $_SESSION['token'] ? >" and the PHP did return "Invalid Token" as it should have. It seems the "!" isn't working, I'm not sure. Thank you for your time, here is the PHP: <?php if ($_GET['token'] !== $_SESSION['token']) { die('Invalid token'); } $keyword=$_GET["name"]; require("dockhawk_dbinfo.php"); function parseToXML($htmlStr) { $xmlStr=str_replace('<','<',$htmlStr); $xmlStr=str_replace('>','>',$xmlStr); $xmlStr=str_replace('"','"',$xmlStr); $xmlStr=str_replace("'",''',$xmlStr); $xmlStr=str_replace("&",'&',$xmlStr); return $xmlStr; } // Opens a connection to a MySQL server $connection=mysql_connect ($hostname, $username, $password); if (!$connection) { die('Not connected : ' . mysql_error()); } // Set the active MySQL database $db_selected = mysql_select_db($database, $connection); if (!$db_selected) { die ('Can\'t use db : ' . mysql_error()); } // Select all the rows in the markers table $query = "SELECT * FROM markers WHERE MATCH(operator, name, waterway) AGAINST ('$keyword') LIMIT 0, 25"; $result = mysql_query($query); if (!$result) { die('Invalid query: ' . mysql_error()); } header("Content-type: text/xml"); // Start XML file, echo parent node echo '<markers>'; // Iterate through the rows, printing XML nodes for each while ($row = @mysql_fetch_assoc($result)){ // ADD TO XML DOCUMENT NODE echo '<marker '; echo 'operator="' . parseToXML($row['operator']) . '" '; echo 'name="' . parseToXML($row['name']) . '" '; echo 'waterway="' . parseToXML($row['waterway']) . '" '; echo 'mile="' . parseToXML($row['mile']) . '" '; echo 'address="' . parseToXML($row['address']) . '" '; echo 'town="' . parseToXML($row['town']) . '" '; echo 'state="' . parseToXML($row['state']) . '" '; echo 'lat="' . $row['lat'] . '" '; echo 'lng="' . $row['lng'] . '" '; echo 'county="' . parseToXML($row['county']) . '" '; echo '/>'; } // End XML file echo '</markers>'; ?> On Sep 29, 5:03 pm, William <[EMAIL PROTECTED]> wrote: > I think people prefer using sites without login systems and > registration, so it might be better to still allow anonymous access > and use PHP session to store the token. For example, see the > following > tutorial:http://daniel0.net/phpfreaks_tutorials/php_security/php_security.pdf > > Imagine this form: > <?php > session_start(); > $_SESSION['token'] = uniqid(md5(microtime()), true); > ?> > <form action="/delete-user.php" method="post"> > <input type="hidden" name="token" value="<?php echo > $_SESSION['token'] ?>" /> > > Username: <input type="text" name="username" /> > <button type="submit">Delete user</button> > </form> > Here we have added a hidden field called token and stored its content > in a > session. On the next page we can do something like this: > <?php > session_start(); > if ($_POST['token'] !== $_SESSION['token']) { > die('Invalid token');} > > // form processing here > ?> > We simply check that it is a valid token and we have then successfully > ensured > that the request did in fact come from the form. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Maps API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Maps-API?hl=en -~----------~----~----~----~------~----~------~--~---
