said, that can be faked, you can probably in Apache or
somewhere disallow (if it's not by default) external post requests
(ie from servers other then your own), and just make sure
your using $_POST[message] instead of $message.
On Wed, 2003-03-12 at 09:01, [EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY form....I'm just picky like that. :-)
-----Original Message-----
From: Adam Voigt [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted into the database?
On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote:
How would one go about doing this?
-----Original Message-----
From: Dan Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
http
headers. Your only way of making sure is to create a serverside script
which filters the data.
> Yes, theoretically...you could require it to be posted data. In order
> to do this you would have to make sure "registered_globals" is set to
> "off" in your php.ini and then for each variable posted from your
form
> you will need to do something like this....
>
> $name=$_POST["name"];
>
> This will only post the variables if they have been "posted." Then
you
> could use the referrer along with this and it will only allow data
from
> that specific form. Hope this helps!
>
> Brian Drexler
>
> -----Original Message-----
> From: Pag [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 12, 2003 8:35 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Hacker problem
>
>
>
> Been having some hacker problems on my site, and a simple one:
>
> I have a shoutbox, a simple form with name and text that adds
> lines to the
> database. I do checks for insults, too long words, tags, etc, but its
> still
> possible to circumvent those checks by adding the data on the url
> instead
> of using the form. something like:
>
>
> www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords
>
> To prevent this, i tried tracing the http_referral so that only
> data from
> inside the site goes into the shoutbox. THe problem is that if you do
> that
> url above after visiting my site, the http_referral obviously thinks
> its
> coming from inside the site. :-P
> How can i solve this? Is there any way to prevent data adding
from
> outside? Maybe some invisible check on the form or something?
>
> Thanks.
>
> Pag
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
Dan Hardiker [EMAIL PROTECTED]
ADAM Software & Systems Engineer
First Creative
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Adam Voigt ([EMAIL PROTECTED])
The Cryptocomm Group
My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc
-- Adam Voigt ([EMAIL PROTECTED]) The Cryptocomm Group My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc |
signature.asc
Description: This is a digitally signed message part
