On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzie<nos...@mckenzies.net> wrote:
> nashrul wrote:
>> This is a newbie question...
>> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
>> submission from page1.php or page2.php will take user to page3.php.
>> I know that we can use parameter that is appended in the action attribute of
>> the form (e.g <FORM METHOD=POST ACTION="tes.php?var1=val1">)
>> But I think, appending this parameter is transparent to the user, since it's
>> visible in the url.
>> And I think we can also use the hidden field or (form name ??.).
>> So which one is most secured and better ??
>> Thanks..
> I personally don't see a problem with using get or post vars, but to
> keep the user from being able to manipulate it do this.  This could also
> be in a header file included at the top of all pages:
> //page1.php and page2.php
> session_start();
> $_SESSION['page'] = $_SERVER['PHP_SELF'];
> //page3.php
> session_start();
> $page = $_SESSION['page']
> // use $page somehow . . .
> --
> Thanks!
> -Shawn
> http://www.spidean.com
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

This approach degrades very simply:

1) Say you have four pages, a.php, b.php, c.php and d.php.
2) b expects user to come from a, d from c.
3) I open two tabs, a.php and c.php.
4) $_SESSION['from'] is now c.php
5) I post to b from a, get an error. $_SESSION['from'] is now b.php.
6) I post to d from c and get an error.

Obviously this example is a tad bit contrived, but as long as your
user is browsing your site in more than one tab/window, using that
approach will break often and result in a user experience, so I'd
stick away from it.

As far as relying on cookies, HTTP headers, hidden form fields, etc.
they are all user input, and Lesson 1 in Security 101 that you don't
trust user input.  Ever.  I always assume that the best HTTP blackhats
are after my sites when I write them and make them unnecessarily
overthought, but they're secure.  I even let a few
(black|white|grey)hat friends of mine take a peak at the code, when I
can, to get their input.  If you can think of a way to exploit your
code, so can someone else.  And so will someone else.

Generally speaking, I'm not entirely sure that this is a question that
even needs an answer.  I'm going to have to echo a sentiment from
earlier in the thread that you need to be validating all of your data
anyway, so it shouldn't matter if I POST to page3 from page2 or from
page1 or from a CLI app written with curl/wget.  What should matter is
whether or not the data I'm POST'ing meets the security criteria that
you've dictated (whatever that may be) and gets properly
escaped/filtered before being entered into the database or otherwise
used.  I'd venture so far as to say that if you need to care about
where a form is POST'd from for security, you have a flawed security
model and in all likelihood a very insecure application and some
serious refactoring to do.

I can't imagine a situation where dictating page2 comes from page1 and
page3 comes from page2 is necessary for security at all.  Perhaps I'm
being shortsited and you can provide some examples?

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to