On Friday, April 5, 2002, at 01:15 PM, Miguel Cruz wrote:
>> For security, you can modify your code so that you check >> the $_POST elements instead of using the magic globals. >> That's all well and good. >> However, someone copy and save your HTML to their local >> machine, change some values, change the "Action" page of the >> form to be http://www.yoursite.com/form_page.php instead of >> "form_page.php". You'll be checking the $_POST elements >> but you won't have any idea that they were changed and posted >> from the user's local machine. >> Is there any way to determine from where the post request came >> from w/o using http_referer? > > No, nor with it. Someone who wants to mess with you can supply any HTTP > referer they want to (using something like 'curl -e' or just creating > the > request by hand in a text editor). > > You can never assume that submitted data is benign or untampered. Exactly. I was kind of blown away when I realized how it all works for the first time -- for a few weeks I was assuming that using listboxes or radio buttons was safer than using text inputs, since it limits what kind of data the user can send you. But this was completely false security on my part, because in reality, the user can send you whatever they want -- the browser is only one way to provide this ability to users. Anyone can use telnet to try to send you any POST data they wish, and even the stupidest of crackers can figure out how to send GET data in the browser's "Address" bar (as you point out in your original post) or modify the value in their cookies. How to make sure that input or other elements of your HTML pages are safe? Religious error checking. Write some decent error checking functions, and then run them on any user-input data you get before you allow that data to have any effect on your code. DevShed recently had an article on the subject of writing a class for form validation: http://www.devshed.com/Server_Side/PHP/FormValidatorClass/page1.html And remember, unless your server is unplugged in a locked room, it's never really safe from intrusion. Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
