On Friday, April 5, 2002, at 01:15  PM, Miguel Cruz wrote:

>> For security, you can modify your code so that you check
>> the $_POST elements instead of using the magic globals.
>> That's all well and good.
>> However, someone copy and save your HTML to their local
>> machine, change some values, change the "Action" page of the
>> form to be http://www.yoursite.com/form_page.php instead of
>> "form_page.php".  You'll be checking the $_POST elements
>> but you won't have any idea that they were changed and posted
>> from the user's local machine.
>> Is there any way to determine from where the post request came
>> from w/o using http_referer?
>
> No, nor with it. Someone who wants to mess with you can supply any HTTP
> referer they want to (using something like 'curl -e' or just creating 
> the
> request by hand in a text editor).
>
> You can never assume that submitted data is benign or untampered.

Exactly.  I was kind of blown away when I realized how it all works for 
the first time -- for a few weeks I was assuming that using listboxes or 
radio buttons was safer than using text inputs, since it limits what 
kind of data the user can send you.  But this was completely false 
security on my part, because in reality, the user can send you whatever 
they want -- the browser is only one way to provide this ability to 
users.

Anyone can use telnet to try to send you any POST data they wish, and 
even the stupidest of crackers can figure out how to send GET data in 
the browser's "Address" bar (as you point out in your original post) or 
modify the value in their cookies.

How to make sure that input or other elements of your HTML pages are 
safe?  Religious error checking.  Write some decent error checking 
functions, and then run them on any user-input data you get before you 
allow that data to have any effect on your code.  DevShed recently had 
an article on the subject of writing a class for form validation:  
http://www.devshed.com/Server_Side/PHP/FormValidatorClass/page1.html

And remember, unless your server is unplugged in a locked room, it's 
never really safe from intrusion.


Erik




----

Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to