RE: [PHP] Preventing data from being reposted?

2005-03-03 Thread pmpa 
Sorry, Wrong Reply!!
My mistake :(

-

Hi!
If I understand you correctly, I hope this helps:








There are probably some errors I haven't run the code.
Pedro.

-Mensagem original-
De: rory walsh [mailto:[EMAIL PROTECTED] 
Enviada: quinta-feira, 3 de Março de 2005 12:01
Para: php-general@lists.php.net
Assunto: [PHP] Preventing data from being reposted?

Is there anyway I can prevent data from being reposted when I hit the 
back button on my browser? When I hit back I get a message from my 
browser asking do I want to repost the data, can I prevent this window 
from appearing?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Preventing data from being reposted?

2005-03-03 Thread pmpa 
Hi!
If I understand you correctly, I hope this helps:








There are probably some errors I haven't run the code.
Pedro.

-Mensagem original-
De: rory walsh [mailto:[EMAIL PROTECTED] 
Enviada: quinta-feira, 3 de Março de 2005 12:01
Para: php-general@lists.php.net
Assunto: [PHP] Preventing data from being reposted?

Is there anyway I can prevent data from being reposted when I hit the 
back button on my browser? When I hit back I get a message from my 
browser asking do I want to repost the data, can I prevent this window 
from appearing?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Preventing data from being reposted?

2005-03-03 Thread Richard Lynch 
> POST is not a security measure. I think what's special about POST is
> that it is meant to hold a lot more data. With GET there is a limit to
> how long the querystring can be.

POST also has a (larger) limit.

Actually, both *could* be limitless.

A server is require to have NO LESS THAN $x for its limit on GET.
A server is require to have NO LESS THAN $y for its limit on POST.

$y >> $x but it has a (possible) limit.

Servers are recommended to have the limits as high as possible.

So, again, it boils down to this:
POST versus GET is an aesthetic choice, not Security, not Performance.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Jochem Maas 
Richard Lynch wrote:
Jochem Maas wrote:
Gareth Williams wrote:
Wouldn't using GET instead of POST help?
in a way it could - but you don't usually want to use a GET as this
can be easily spoofed (i.e. anyone could send you a link or post one in a
forum
that would do the post action without warning you)
which comes down to: you should be 'certified' if you use GET to allow
users to submit a payment confirmation - you only want a FORM to be able
to
submit such a confirmation rather than allowing any old link to issue such
a
confirmation
for a much better description on why using GET is 'bad' in this kind of
situation
I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks
(can't remember the
subject Im afraid)

Gah!
I'm actually the one who said you should *NOT* fool yourself that POST is
any "more secure" than GET.
oops!
Only the dumbest of the dumb can't figure out how to save an HTML form and
modify it to POST whatever they want to your script.
Choosing POST over GET should be a matter of aesthetics, not security.
the point I was trying to make is that if you use POST then you know that 
the
user had to submit a form. the reason to use POST therefore is simply that
a _third_party_ cannot trick one of your users into clicking a link
that actually changes a
I have many scripts that will behave "the same" with GET or POST input.
Or, more correctly, would do the same thing if you were trying to spoof
them with GET/POST input.
The most common example is to view/edit a record in the database, I often
use a link with GET to get to the edit page, and that has a FORM (POST) to
the same page to update the record.
I'll use REQUEST all over, and if somebody manages to break in and wants
to use GET instead of POST to hack it, I don't see a hell of a lot of
difference.
If they're smart enough to get past the authentication, they're sure as
hell smart enough to do a forged POST.  [shrug]
you are right - actually I code pretty much the way you describe - but
I was meaning a situation where the user is not the hacker but that the hacker
is a third party trying to trick the user into performing an action
which is a lot easier to do with out alerting the user if the relevant action
can be triggered by a GET.
imagine a link:
http://www.example.com?a=10&pay=MrX";>so payment
http://www.example.com?a=1&pay=MrHacker";>read more
then image that as a FORM.
my point is that the link is alot easier to drop into someone (elses) site than
a form.
but yes you are right when it comes down to it. thanks for the catch.
remind me again why we acknowledge the difference between POST and GET in 2005?
GET is only "easier" to spoof that POST if you're comparing really really
really stupid people with really really stupid people...
so you have met parents

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Richard Lynch 
Jochem Maas wrote:
> Gareth Williams wrote:
>>
>> Wouldn't using GET instead of POST help?
>
> in a way it could - but you don't usually want to use a GET as this
> can be easily spoofed (i.e. anyone could send you a link or post one in a
> forum
> that would do the post action without warning you)
>
> which comes down to: you should be 'certified' if you use GET to allow
> users to submit a payment confirmation - you only want a FORM to be able
> to
> submit such a confirmation rather than allowing any old link to issue such
> a
> confirmation
>
> for a much better description on why using GET is 'bad' in this kind of
> situation
> I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks
> (can't remember the
> subject Im afraid)

Gah!

I'm actually the one who said you should *NOT* fool yourself that POST is
any "more secure" than GET.

Only the dumbest of the dumb can't figure out how to save an HTML form and
modify it to POST whatever they want to your script.

Choosing POST over GET should be a matter of aesthetics, not security.

I have many scripts that will behave "the same" with GET or POST input.

Or, more correctly, would do the same thing if you were trying to spoof
them with GET/POST input.

The most common example is to view/edit a record in the database, I often
use a link with GET to get to the edit page, and that has a FORM (POST) to
the same page to update the record.

I'll use REQUEST all over, and if somebody manages to break in and wants
to use GET instead of POST to hack it, I don't see a hell of a lot of
difference.

If they're smart enough to get past the authentication, they're sure as
hell smart enough to do a forged POST.  [shrug]

GET is only "easier" to spoof that POST if you're comparing really really
really stupid people with really really stupid people...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Preventing data from being reposted?

2005-03-03 Thread Chris W. Parker 
Jochem Maas 
on Thursday, March 03, 2005 5:57 AM said:

> Gareth Williams wrote:
>> 
>> Wouldn't using GET instead of POST help?
> 
> in a way it could - but you don't usually want to use a GET as this
> can be easily spoofed (i.e. anyone could send you a link or post one
> in a forum that would do the post action without warning you)
> 
> which comes down to: you should be 'certified' if you use GET to allow
> users to submit a payment confirmation - you only want a FORM to be
> able to submit such a confirmation rather than allowing any old link
> to issue such a confirmation

POST can be easily spoofed as well. I can recreate the form found on
your site on my own server and submit my data that way. I can also
submit POST by constructing my own headers in PHP (or just about any
other language for that matter). In both of those cases the data was
submitted in a way unexpected by the site author.

POST is not a security measure. I think what's special about POST is
that it is meant to hold a lot more data. With GET there is a limit to
how long the querystring can be.



Chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Jochem Maas 
rory walsh wrote:
I'm pretty sure I am looking at cached pages but the problem with this 
seems to be that some browsers support these header directives and 
others don't, i.e. Firefox.

The following work in IE but not Firefox
header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
I'd guess that should work but maybe the 'private' throws firefox a 
curveball, anyway here
are the headers I use to 'privatise' logged in sessions:
header("Expires: ".gmdate("D, d M Y H:i:s", strtotime('1-Jan-1980')) . " 
GMT");
// always modified
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
// HTTP/1.0
header("Pragma: no-cache");
I put that lot together from trial and error more than anything,
if it sucks then somebody please say something!
1 piece of advice when debugging stuff to do with sessions:
everytime you test whatever it is your doing close all you browser windows 
(kill the app)
first then open a new browser and then perform the actions you want to test.
and just to be absolutely sure first clear the browser cache.

maybe you are looking at cached pages in your browser?
if 'session_variable=="yes"' equates to true then you should send out
headers that tell the browser not to cache the output (or make it
private/force-revalidation)


Jochem Maas wrote:
eoghan wrote:
i think ive missed a few mails there...?
rory walsh wrote:
Cheers, I'll take a look, I had tried a search but thunderbird 
didn't find anything, even with the exact thread title I had to 
google it? Anyway I'll take a look.


my first google hit on search for the exact title gave me this:
http://www.issociate.de/board/post/171234/Clear_POST_variables_on_page_refresh.html 




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread rory walsh 
I'm pretty sure I am looking at cached pages but the problem with this 
seems to be that some browsers support these header directives and 
others don't, i.e. Firefox.

The following work in IE but not Firefox
header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");

maybe you are looking at cached pages in your browser?
if 'session_variable=="yes"' equates to true then you should send out
headers that tell the browser not to cache the output (or make it
private/force-revalidation)


Jochem Maas wrote:
eoghan wrote:
i think ive missed a few mails there...?
rory walsh wrote:
Cheers, I'll take a look, I had tried a search but thunderbird 
didn't find anything, even with the exact thread title I had to 
google it? Anyway I'll take a look.


my first google hit on search for the exact title gave me this:
http://www.issociate.de/board/post/171234/Clear_POST_variables_on_page_refresh.html 



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Jochem Maas 
rory walsh wrote:
Yeah I got it, cheers. Actually the problem I am getting is more to do 
with my session variables I think? Here is the jist of the code.

if(log out button has been pressed)
{
session_variable="no"
}
if(log in button has been pressed)
{
session_variable="yes"
}
if(session_variable=="yes")
{
display the string "you have logged in" and place a button on the page 
so they can log out.
}
else display you are not logged in
the psuedo code seems ok - no way of knowing how this reflects
on your actual code tho.
The problem is that I can always get back to the "you have logged in" 
display by simply pressing back, even though once the user hits the 
logout button the variable is no longer "yes"? I have to hit the back 
button a few times to get the "you have logged in" message. No doubt 
there are mistakes elsewhere in my code, but can anyone just verify that 
the above code should run without a problem?
maybe you are looking at cached pages in your browser?
if 'session_variable=="yes"' equates to true then you should send out
headers that tell the browser not to cache the output (or make it
private/force-revalidation)


Jochem Maas wrote:
eoghan wrote:
i think ive missed a few mails there...?
rory walsh wrote:
Cheers, I'll take a look, I had tried a search but thunderbird 
didn't find anything, even with the exact thread title I had to 
google it? Anyway I'll take a look.

my first google hit on search for the exact title gave me this:
http://www.issociate.de/board/post/171234/Clear_POST_variables_on_page_refresh.html 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread rory walsh 
Yeah I got it, cheers. Actually the problem I am getting is more to do 
with my session variables I think? Here is the jist of the code.

if(log out button has been pressed)
{
session_variable="no"
}
if(log in button has been pressed)
{
session_variable="yes"
}
if(session_variable=="yes")
{
display the string "you have logged in" and place a button on the page 
so they can log out.
}
else display you are not logged in

The problem is that I can always get back to the "you have logged in" 
display by simply pressing back, even though once the user hits the 
logout button the variable is no longer "yes"? I have to hit the back 
button a few times to get the "you have logged in" message. No doubt 
there are mistakes elsewhere in my code, but can anyone just verify that 
the above code should run without a problem?


Jochem Maas wrote:
eoghan wrote:
i think ive missed a few mails there...?
rory walsh wrote:
Cheers, I'll take a look, I had tried a search but thunderbird didn't 
find anything, even with the exact thread title I had to google it? 
Anyway I'll take a look.

my first google hit on search for the exact title gave me this:
http://www.issociate.de/board/post/171234/Clear_POST_variables_on_page_refresh.html 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Jochem Maas 
eoghan wrote:
i think ive missed a few mails there...?
rory walsh wrote:
Cheers, I'll take a look, I had tried a search but thunderbird didn't 
find anything, even with the exact thread title I had to google it? 
Anyway I'll take a look.
my first google hit on search for the exact title gave me this:
http://www.issociate.de/board/post/171234/Clear_POST_variables_on_page_refresh.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Jochem Maas 
Gareth Williams wrote:
Wouldn't using GET instead of POST help?
in a way it could - but you don't usually want to use a GET as this
can be easily spoofed (i.e. anyone could send you a link or post one in a forum
that would do the post action without warning you)
which comes down to: you should be 'certified' if you use GET to allow
users to submit a payment confirmation - you only want a FORM to be able to
submit such a confirmation rather than allowing any old link to issue such a
confirmation
for a much better description on why using GET is 'bad' in this kind of 
situation
I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks 
(can't remember the
subject Im afraid)

Gareth Williams
venditor.com
Buy cool stuff online at http://www.venditor.com";>venditor.com
On 3 Mar 2005, at 14:20, Jochem Maas wrote:
rory walsh wrote:
Thanks Eoghan, I have tried the following but it still reposts the 
data from the form and goes back a page?
header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
Am I write in assuming that the above headers should prevent the user 
from going back in the first place as no cache has been taken?

no - just that if they do then the page will have to be reloaded (under
std conditions the user then gets the 'Are you sure you want to 
repost?' kind
of message)

before asking anything more on this topic, look up a thread on this
lists archive entitled
'Clear POST variables on page refresh'
this should give you headsup on the issues + a good suggestion by Richard
Lynch on how to handle this (his idea uses md5 hashes to 'auth' 
specific POST
actions, when the POST occurs the given hash is invalidated... read 
original thread
for full info)

Eoghan wrote:
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit 
the back button on my browser? When I hit back I get a message from 
my browser asking do I want to repost the data, can I prevent this 
window from appearing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread eoghan 
i think ive missed a few mails there...?
rory walsh wrote:
Cheers, I'll take a look, I had tried a search but thunderbird didn't 
find anything, even with the exact thread title I had to google it? 
Anyway I'll take a look.

Jochem Maas wrote:
rory walsh wrote:
Thanks Eoghan, I have tried the following but it still reposts the 
data from the form and goes back a page?

header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
Am I write in assuming that the above headers should prevent the 
user from going back in the first place as no cache has been taken?

no - just that if they do then the page will have to be reloaded (under
std conditions the user then gets the 'Are you sure you want to 
repost?' kind
of message)

before asking anything more on this topic, look up a thread on this
lists archive entitled
'Clear POST variables on page refresh'
this should give you headsup on the issues + a good suggestion by 
Richard
Lynch on how to handle this (his idea uses md5 hashes to 'auth' 
specific POST
actions, when the POST occurs the given hash is invalidated... read 
original thread
for full info)


Eoghan wrote:
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit 
the back button on my browser? When I hit back I get a message 
from my browser asking do I want to repost the data, can I prevent 
this window from appearing?



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread rory walsh 
Cheers, I'll take a look, I had tried a search but thunderbird didn't 
find anything, even with the exact thread title I had to google it? 
Anyway I'll take a look.

Jochem Maas wrote:
rory walsh wrote:
Thanks Eoghan, I have tried the following but it still reposts the 
data from the form and goes back a page?

header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
Am I write in assuming that the above headers should prevent the user 
from going back in the first place as no cache has been taken?

no - just that if they do then the page will have to be reloaded (under
std conditions the user then gets the 'Are you sure you want to repost?' 
kind
of message)

before asking anything more on this topic, look up a thread on this
lists archive entitled
'Clear POST variables on page refresh'
this should give you headsup on the issues + a good suggestion by Richard
Lynch on how to handle this (his idea uses md5 hashes to 'auth' specific 
POST
actions, when the POST occurs the given hash is invalidated... read 
original thread
for full info)


Eoghan wrote:
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit 
the back button on my browser? When I hit back I get a message from 
my browser asking do I want to repost the data, can I prevent this 
window from appearing?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Gareth Williams 
Wouldn't using GET instead of POST help?
Gareth Williams
venditor.com
Buy cool stuff online at http://www.venditor.com";>venditor.com

On 3 Mar 2005, at 14:20, Jochem Maas wrote:
rory walsh wrote:
Thanks Eoghan, I have tried the following but it still reposts the 
data from the form and goes back a page?
header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
Am I write in assuming that the above headers should prevent the user 
from going back in the first place as no cache has been taken?
no - just that if they do then the page will have to be reloaded (under
std conditions the user then gets the 'Are you sure you want to 
repost?' kind
of message)

before asking anything more on this topic, look up a thread on this
lists archive entitled
'Clear POST variables on page refresh'
this should give you headsup on the issues + a good suggestion by 
Richard
Lynch on how to handle this (his idea uses md5 hashes to 'auth' 
specific POST
actions, when the POST occurs the given hash is invalidated... read 
original thread
for full info)

Eoghan wrote:
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit 
the back button on my browser? When I hit back I get a message from 
my browser asking do I want to repost the data, can I prevent this 
window from appearing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread Jochem Maas 
rory walsh wrote:
Thanks Eoghan, I have tried the following but it still reposts the data 
from the form and goes back a page?

header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
Am I write in assuming that the above headers should prevent the user 
from going back in the first place as no cache has been taken?
no - just that if they do then the page will have to be reloaded (under
std conditions the user then gets the 'Are you sure you want to repost?' kind
of message)
before asking anything more on this topic, look up a thread on this
lists archive entitled
'Clear POST variables on page refresh'
this should give you headsup on the issues + a good suggestion by Richard
Lynch on how to handle this (his idea uses md5 hashes to 'auth' specific POST
actions, when the POST occurs the given hash is invalidated... read original 
thread
for full info)

Eoghan wrote:
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit the 
back button on my browser? When I hit back I get a message from my 
browser asking do I want to repost the data, can I prevent this 
window from appearing?


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread rory walsh 
Thanks Eoghan, I have tried the following but it still reposts the data 
from the form and goes back a page?

header("Cache-control: private");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
Am I write in assuming that the above headers should prevent the user 
from going back in the first place as no cache has been taken?

Eoghan wrote:
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit the 
back button on my browser? When I hit back I get a message from my 
browser asking do I want to repost the data, can I prevent this window 
from appearing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Preventing data from being reposted?

2005-03-03 Thread eoghan 
you can use header()
http://ie.php.net/header
rory walsh wrote:
Is there anyway I can prevent data from being reposted when I hit the 
back button on my browser? When I hit back I get a message from my 
browser asking do I want to repost the data, can I prevent this window 
from appearing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Preventing data from being reposted?

2005-03-03 Thread rory walsh 
Is there anyway I can prevent data from being reposted when I hit the 
back button on my browser? When I hit back I get a message from my 
browser asking do I want to repost the data, can I prevent this window 
from appearing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php