If you have an HTML form select field xyz with possible values
"apple", "banana", and "cucumber", anyone can easily set xyz to an
arbitrary value.

To prevent this, I create a hidden field code[xyz] with value:

where $salt is stored in a file outside my webroot.

The script receiving the POST data uses:

 base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT);

and confirms xyz is really one of "apple", "banana", or "cucumber".

Obviously, this can be extended to other types of form fields, and the
check value can be a regular expression or even a function call.

Is this a new idea, or have people done this before?

We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to