"Monty" <[EMAIL PROTECTED]> wrote:

> Okay, I really want to understand how to make $_GET and $_POST more secure
> because it means changing a fundamental way my scripts are now working.
> So, it sounds like what I need to do in order to make form data more
> is something like this...
> $isAdmin = $_POST['isAdmin'];
> $myName = $_POST['myName'];
> $myPrefs = $_GET['myPrefs'];
> Instead of this...
> extract($_POST);
> extract($_GET);
> Is this correct??

Yes and no. I think it'd be a better idea to validate your
$_POST['something'] or $_GET['something'] before assigning them to

> Now, I can see how this will prevent a cracker from
> flooding a script with invalid variables that are all extracted into local
> vars, but, I don't see how this will prevent someone from hijacking the
> and inserting their own data.

I'm not really sure what you meant by this but the point is nothing is
really secure and you should validate the data that'll come from the user.
As always pointed out, "never trust the user".

> Validating that kind of attack seems almost
> impossible to do especially for things like forms that collect contact
> I really don't want to have to validate every field for every legal
> possibility (especially fields like Country).

There are many places (websites) wherein you can choose the country from a
pulldown menu. This prevents somebody (somehow) from posting something
illegal. Besides, if the values assigned are numbers (e.g. <option
value="100">My Country</option>) then you can check whether the value
is_numeric() or something. Or, even if it's a text field, perhaps you can
use some regex to make sure that you only accept certain characters. (i.e.
alphabet, etc.)

Just some ideas...

- E


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to