A determined hacker can get through.  Period.

Additional safeguards might include username/password authentication against a 

You can only make it more difficult for a hacker to break-in.  You can never have 
absolute certainty he won't.

----- Original Message ----- 
From: "Chris Boget" <[EMAIL PROTECTED]>
To: "Rick Emery" <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 8:53 AM
Subject: Re: [PHP] extract($_POST)

> The more secure method ensures it MUST come from a form.  Be 
> advised: the user can create his own form with $admin as a variable 
> and submit it to your PHP script.  Therefore, additional precautions 
> and authentication are warranted.

And what should these precautions be?  If a malicious user can submit
his own form and you are looking for a POST variable, how can you
ensure that $admin came from your form and not that user's?  And if that
same user can hijack a session, that makes it so you have even less
precautions you can take.
I'm honestly interested in this.  I've read the security section of the manual,
read similar threads and each time, I've come to the conclusion that you
can really only ever be so secure.  And that all of the tests, checks, 
balances you may implement are all for naught where a really determined
malicious user is concerned.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to