Re: [PHP] is there a better way to know from which php file the request comes from ??
I was reviewing ur post, and thinking u might talk about a pretty common application like in a sequence of order form u want first the billing data then the shipping data. for both u need just the same form u then process on script3. in such a case it doesn't matter if u use hidden fields or url parameter, GET or POST to run different code for each form data in sript 3 neither can I see a security issue here. u processing only the variables u defined. and what does it matter if you have an hidden field like stepp=1 or stepp=2 and a bored user put just for fun stepp=99 to piek ur ass. just take care in ur code for it and display something (e.g. "hang on , big brother is watching u") this is good practice and common all over. any PHPer got his own way to do it, and I think u r in the process to find urs. just try what u like best. if you have a real security issue come back with more details about the SECURITY issue and I m shure the group will have a good brainstorm going again. have fun ralph_def...@yahoo.de "nashrul" wrote in message news:25003587.p...@talk.nabble.com... > > This is a newbie question... > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form > submission from page1.php or page2.php will take user to page3.php. > I know that we can use parameter that is appended in the action attribute of > the form (e.g ) > But I think, appending this parameter is transparent to the user, since it's > visible in the url. > And I think we can also use the hidden field or (form name ??.). > So which one is most secured and better ?? > Thanks.. > -- > View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html > Sent from the PHP - General mailing list archive at Nabble.com. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On 8/17/09 5:17 AM, "nashrul" wrote: > This is a newbie question... > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form > submission from page1.php or page2.php will take user to page3.php. > I know that we can use parameter that is appended in the action attribute of > the form (e.g ) > But I think, appending this parameter is transparent to the user, since it's > visible in the url. > And I think we can also use the hidden field or (form name ??.). > So which one is most secured and better ?? i'm not in love with using the form POST method combined with an action url that includes pseudo-GET parameters. for POST forms, i use a convention of always having a hidden input in the form to indicate which form sent the query, e.g. this also comes in handy if one server script processes more than one form. as for security, there's little difference between this method, using GET values, using HTTP_REFERER, or what have you. protection against spoofing lies not in these choices. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On 8/17/09 5:24 AM, "Ashley Sheridan" wrote: > On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote: >> This is a newbie question... >> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form >> submission from page1.php or page2.php will take user to page3.php. >> I know that we can use parameter that is appended in the action attribute of >> the form (e.g ) >> But I think, appending this parameter is transparent to the user, since it's >> visible in the url. >> And I think we can also use the hidden field or (form name ??.). >> So which one is most secured and better ?? >> Thanks.. >> -- >> View this message in context: >> http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-r >> equest-comes-fromtp25003587p25003587.html >> Sent from the PHP - General mailing list archive at Nabble.com. >> >> > Neither GET or POST is more secure, it's just that POST requires a tiny > bit more work to see what's being sent. You can use the > $_SERVER['HTTP_REFERER'] variable to detect where a request has come > from. The documentation for this particular variable mentions that it > can't be trusted, as it can be changed by the client browser, but then, > so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER > route, because it is completely transparent, and the majority of users > aren't going to bother changing it. your probably right. though i remember when i considered using HTTP_REFERER. i looked up the http rfc and it said that use of the header was optional. that made sense. so i decided not to make any of app functionality depend on it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
> This is a newbie question... > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form > submission from page1.php or page2.php will take user to page3.php. > I know that we can use parameter that is appended in the action attribute of > the form (e.g ) > But I think, appending this parameter is transparent to the user, since it's > visible in the url. Why does it matter? I don't meant to suggest that it doesn't, but I'm just wondering if you could explain the design of your app a bit. You've sketched out an attack scenario in which a user maliciously alters a variable in the request so that page3.php thinks the request is coming from page2.php, when in fact it's coming from page1.php -- or vice versa. But suppose an attacker does trick page3.php into mistaking the origin of the POST. Does it make a difference? Presumably page3.php will be filtering all of its input, and will discard the request if, for example, it claims to be from page2.php but doesn't contain the sort of data that a request from page2 would contain. But if it does contain the right data, and the data is valid, then does it matter if the data was not actually collected on page2.php? The statelessness of HTTP can be one of its beauties -- and I would be inclined against introducing statefulness unless the app really needs it. At any rate your problem is reminiscent of CSRF: http://en.wikipedia.org/wiki/Cross-site_request_forgery And I'm wondering if you could borrow from anti-CSRF techniques to solve it (assuming, again, that it really needs to be solved). Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On Mon, 2009-08-17 at 19:04 +0200, Ralph Deffke wrote: > If u need a solution to know where the request comes from on a certain > secure level u can use cookies. > > u might also have run into pages on the web giving u hard readable images u > have to put into a form field. toghether with cookies these design gives u > 1000% from where the form data come. > > depends what security level u whant to implement > > regards > ralph_def...@yahoo.de > > > "nashrul" wrote in message > news:25003587.p...@talk.nabble.com... > > > > This is a newbie question... > > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form > > submission from page1.php or page2.php will take user to page3.php. > > I know that we can use parameter that is appended in the action attribute > of > > the form (e.g ) > > But I think, appending this parameter is transparent to the user, since > it's > > visible in the url. > > And I think we can also use the hidden field or (form name ??.). > > So which one is most secured and better ?? > > Thanks.. > > -- > > View this message in context: > http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html > > Sent from the PHP - General mailing list archive at Nabble.com. > > > > > Nothing that comes from the client can be considered secure, so cookies are out too I'm afraid. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
If u need a solution to know where the request comes from on a certain secure level u can use cookies. u might also have run into pages on the web giving u hard readable images u have to put into a form field. toghether with cookies these design gives u 1000% from where the form data come. depends what security level u whant to implement regards ralph_def...@yahoo.de "nashrul" wrote in message news:25003587.p...@talk.nabble.com... > > This is a newbie question... > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form > submission from page1.php or page2.php will take user to page3.php. > I know that we can use parameter that is appended in the action attribute of > the form (e.g ) > But I think, appending this parameter is transparent to the user, since it's > visible in the url. > And I think we can also use the hidden field or (form name ??.). > So which one is most secured and better ?? > Thanks.. > -- > View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html > Sent from the PHP - General mailing list archive at Nabble.com. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
HTTP_REFERRER is transparent, but if can be messed with very easily. I prefer use of $_SESSION vars if security is needed in my application (epically when a page is shown after a POST request) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] is there a better way to know from which php file the request comes from ??
On Mon, 2009-08-17 at 02:17 -0700, nashrul wrote: > This is a newbie question... > Let's say there are 3 php files, page1.php, page2.php and page3.php. Form > submission from page1.php or page2.php will take user to page3.php. > I know that we can use parameter that is appended in the action attribute of > the form (e.g ) > But I think, appending this parameter is transparent to the user, since it's > visible in the url. > And I think we can also use the hidden field or (form name ??.). > So which one is most secured and better ?? > Thanks.. > -- > View this message in context: > http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html > Sent from the PHP - General mailing list archive at Nabble.com. > > Neither GET or POST is more secure, it's just that POST requires a tiny bit more work to see what's being sent. You can use the $_SERVER['HTTP_REFERER'] variable to detect where a request has come from. The documentation for this particular variable mentions that it can't be trusted, as it can be changed by the client browser, but then, so can hidden form fields, etc. Personally, I'd go with the HTTP_REFERER route, because it is completely transparent, and the majority of users aren't going to bother changing it. Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] is there a better way to know from which php file the request comes from ??
This is a newbie question... Let's say there are 3 php files, page1.php, page2.php and page3.php. Form submission from page1.php or page2.php will take user to page3.php. I know that we can use parameter that is appended in the action attribute of the form (e.g ) But I think, appending this parameter is transparent to the user, since it's visible in the url. And I think we can also use the hidden field or (form name ??.). So which one is most secured and better ?? Thanks.. -- View this message in context: http://www.nabble.com/is-there-a-better-way-to-know-from-which-php-file-the-request-comes-fromtp25003587p25003587.html Sent from the PHP - General mailing list archive at Nabble.com. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php