On Friday, April 5, 2002, at 01:15 PM, Miguel Cruz wrote:
>> For security, you can modify your code so that you check
>> the $_POST elements instead of using the magic globals.
>> That's all well and good.
>> However, someone copy and save your HTML to their local
>> machine, change some values, change the "Action" page of the
>> form to be http://www.yoursite.com/form_page.php instead of
>> "form_page.php". You'll be checking the $_POST elements
>> but you won't have any idea that they were changed and posted
>> from the user's local machine.
>> Is there any way to determine from where the post request came
>> from w/o using http_referer?
> No, nor with it. Someone who wants to mess with you can supply any HTTP
> referer they want to (using something like 'curl -e' or just creating
> request by hand in a text editor).
> You can never assume that submitted data is benign or untampered.
Exactly. I was kind of blown away when I realized how it all works for
the first time -- for a few weeks I was assuming that using listboxes or
radio buttons was safer than using text inputs, since it limits what
kind of data the user can send you. But this was completely false
security on my part, because in reality, the user can send you whatever
they want -- the browser is only one way to provide this ability to
Anyone can use telnet to try to send you any POST data they wish, and
even the stupidest of crackers can figure out how to send GET data in
the browser's "Address" bar (as you point out in your original post) or
modify the value in their cookies.
How to make sure that input or other elements of your HTML pages are
safe? Religious error checking. Write some decent error checking
functions, and then run them on any user-input data you get before you
allow that data to have any effect on your code. DevShed recently had
an article on the subject of writing a class for form validation:
And remember, unless your server is unplugged in a locked room, it's
never really safe from intrusion.
Web Developer Temp
Media Lab, H.H. Brown
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php