When reading the form result, make sure the referering page is from your own site, or else they can simply make their own form.
To increase security, add a hidden field with some random value to the form, and put the same value in a session variable. Only accept the form result when both match. Some even add a timer.
At 16:25 11-6-03, you wrote:
for example i have form with a dropdown selection as shown below.
<FORM action="action.php"> <SELECT name="total"> <OPTION>1</OPTION> <OPTION>2</OPTION> <OPTION>3</OPTION> <OPTION>4</OPTION> <OPTION>5</OPTION> </SELECT> </FORM>
Just say I have a function to generate form fields based on the total variable from above... so
function generate($total){ for ($total = 1; $i <= $total; $i++) { print "<input type="text" name="$total">\n"; } }
how do you prevent someone modifying querystring like: page.php?total=100 and hitting ENTER
Now rather than 5 options you have 120 options...
How do you tackle this problem??
any suggestion?
Thanks Awlad
_______________________________________________________________________
Sheridan Phoenix Company The Business Centre Kimpton Road Luton Bedfordshire LU2 0LB
Email: [EMAIL PROTECTED] Phone: 01582 522 330 Fax: 01582 522 328 _______________________________________________________________________
This electronic transmission is strictly confidential and intended solely for the addressee. If you are not the intended addressee, you must not disclose, copy or take any action in reliance of this transmission. If you have received this transmission in error it would be helpful if you could notify The Sheridan Phoenix Company Ltd as soon as possible.
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of The Sheridan Phoenix Company Ltd.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
