If you want to stop most people, try posting an MD5() hash
of the field contents to the form, and then verifying it
upon form submittal.

For example:

<input type=hidden name=form[last] value="Blah">
<input type=hidden name=form[last_md5] value=" ... ">

However, if you get a smart user, he can simply change
the value and the MD5 hash to be the correct hash of
the new value and circumvent all your work. 

(But then again, if you get anyone that's smart and
committed, it's just a matter of time before he will
figure out *some* loophole to subvert your forms)

Scott Hurring
Systems Programmer
EAC Corporation
Voice: 201-462-2149
Fax: 201-288-1515

> -----Original Message-----
> From: John Taylor-Johnston [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 05, 2002 5:24 PM
> Subject: [PHP] Re: Finding out how a variable was registered
> If you change your header to pragma-nocache, he should not be able
> to see the source to know what elements he needs for a <method=get>.
> Or you could also use a session to hide the variables?
> Joe Pemberton wrote:
> > Is there a function call to figure out how a variable was 
> registered?  I am writing a page that handles a form and I 
> need to know whether or not a variable was created using the 
> GET or POST method (I don't want the user to be able to to 
> 'foo.php?var=value' and mess with the results)
> > - - Joe
> >
> --
> John Taylor-Johnston
> --------------------------------------------------------------
> ---------------
>   ' ' '   Collège de Sherbrooke:
>  ô¿ô   http://www.collegesherbrooke.qc.ca/languesmodernes/
>    -     Université de Sherbrooke:
>           http://compcanlit.ca/
>           819-569-2064
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to