--- Scott Fletcher <[EMAIL PROTECTED]> wrote: > I wanted to know is is there a way to configure PHP to make it not be > affected when the web user tamper with the values in the post string > after a webpage is submitted or something.
If by "after a page is submitted" you mean "after a page is requested", then you can already be assured that the user cannot tamper with data. Now, don't be mislead by this, but all it means is that if you have code such as: <? $foo = 'bar'; echo $foo; ?> Then, regardless of whether register_globals is enabled or what the user may do, you can feel comfortable that this script will output "bar". Once your script begins execution, the user's request has been received, and the user cannot take any further action that will manipulate data. Of course, the user can try again on the next request. > I noticed when I use the hidden html input tag with hidden data in it > then when I click the submit button to submit the webpage, the hidden > data then show up in the URL address. This happens when you specify a method of GET, do not specify a method, or specify an invalid method (neither POST nor GET). > I noticed one problem, I can changed the value in the URL toolbar of > the web-browser and get different result on the webpage. Yes, but both GET and POST are sent by the user. Surely you wouldn't trust POST data any more than you would GET. > So, is there a way to keep that $_REQUEST[], $_GET[] data unchanged? > Does this require the php.ini configuration or what? Absolutely not. This requires that you validate all data from the client. This means GET data, POST data (which may include file uploads), and cookies are potentially dangerous. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
