Who cares where it comes from, just validate it. You can use POST and HTTP_REFERRER (check spelling) to stop lazy people from messing with it if that makes you feel better.
---John Holmes... ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, March 12, 2003 9:02 AM Subject: RE: [PHP] Hacker problem > So we aren't actually validating "where" the data is coming from, we > are just validating the data? > > -----Original Message----- > From: Leif K-Brooks [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:57 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Hacker problem > > > if(stristr($text,'badword') or stristr($text,'badword2') or > strlen($text) > maxlength){ > die('Invalid!'); > } > > [EMAIL PROTECTED] wrote: > > > So how could you validate it server-side? > > -----Original Message----- > From: Leif K-Brooks [ mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:41 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP] Hacker problem > > > That's can still easily be spoofed. The only safe way is to validate > the form server-side. > > [EMAIL PROTECTED] wrote: > > > > Yes, theoretically...you could require it to be posted data. In order > to do this you would have to make sure "registered_globals" is set to > "off" in your php.ini and then for each variable posted from your form > you will need to do something like this.... > > $name=$_POST["name"]; > > This will only post the variables if they have been "posted." Then > > > you > > > could use the referrer along with this and it will only allow data > > > from > > > that specific form. Hope this helps! > > Brian Drexler > > -----Original Message----- > From: Pag [ mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:35 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Hacker problem > > > > Been having some hacker problems on my site, and a simple one: > > I have a shoutbox, a simple form with name and text that adds > lines to the > database. I do checks for insults, too long words, tags, etc, but its > still > possible to circumvent those checks by adding the data on the url > instead > of using the form. something like: > > > www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords > > To prevent this, i tried tracing the http_referral so that only > data from > inside the site goes into the shoutbox. THe problem is that if you do > that > url above after visiting my site, the http_referral obviously thinks > its > coming from inside the site. :-P > How can i solve this? Is there any way to prevent data adding > > > from > > > outside? Maybe some invisible check on the form or something? > > Thanks. > > Pag > > > > > > > > > > > > -- > The above message is encrypted with double rot13 encoding. Any > unauthorized attempt to decrypt it will be prosecuted to the full > extent of the law. > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
