So we aren't actually validating "where" the data is coming from, we are just validating the data?
-----Original Message----- From: Leif K-Brooks [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:57 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem if(stristr($text,'badword') or stristr($text,'badword2') or strlen($text) > maxlength){ die('Invalid!'); } [EMAIL PROTECTED] wrote: So how could you validate it server-side? -----Original Message----- From: Leif K-Brooks [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:41 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem That's can still easily be spoofed. The only safe way is to validate the form server-side. [EMAIL PROTECTED] wrote: Yes, theoretically...you could require it to be posted data. In order to do this you would have to make sure "registered_globals" is set to "off" in your php.ini and then for each variable posted from your form you will need to do something like this.... $name=$_POST["name"]; This will only post the variables if they have been "posted." Then you could use the referrer along with this and it will only allow data from that specific form. Hope this helps! Brian Drexler -----Original Message----- From: Pag [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP] Hacker problem Been having some hacker problems on my site, and a simple one: I have a shoutbox, a simple form with name and text that adds lines to the database. I do checks for insults, too long words, tags, etc, but its still possible to circumvent those checks by adding the data on the url instead of using the form. something like: www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords To prevent this, i tried tracing the http_referral so that only data from inside the site goes into the shoutbox. THe problem is that if you do that url above after visiting my site, the http_referral obviously thinks its coming from inside the site. :-P How can i solve this? Is there any way to prevent data adding from outside? Maybe some invisible check on the form or something? Thanks. Pag -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
