Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds lines to the
database. I do checks for insults, too long words, tags, etc, but its still
possible to circumvent those checks by adding the data on the url instead
of
You're checking with javascript, correct? If so, try checking
server-side too.
Pag wrote:
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the database. I do checks for insults, too long words, tags,
]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines to the
database. I do checks for insults, too long words, tags, etc, but its
still
possible to circumvent those
-Original Message-
From: Pag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have a shoutbox, a simple form with name and text that adds
lines
that specific form. Hope this helps!
Brian Drexler
-Original Message-
From: Pag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem
Been having some hacker problems on my site, and a simple one:
I have
How would one go about doing this?
-Original Message-
From: Dan Hardiker [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's can still easily be spoofed. The only safe way is to validate
the form server-side.
[EMAIL PROTECTED] wrote:
Yes, theoretically...you could require it to be posted data. In order
to do this you would have to make
PROTECTED]
Sent: Wednesday, March 12, 2003 8:44 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
This could still be faked easily with a telnet session and some fake
http
headers. Your only way of making sure is to create a serverside script
which
So we aren't actually validating where the data is coming from, we
are just validating the data?
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:57 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted into the database?
On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote:
How would one go about doing this?
-Original
]
Sent: Wednesday, March 12, 2003 8:55 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Hacker problem
Why don't you just do the swear filtering on shoutb.php, or wherever
it's actually
being inserted
]
Subject: Re: [PHP] Hacker problem
if(stristr($text,'badword') or stristr($text,'badword2') or
strlen($text) maxlength){
die('Invalid!');
}
[EMAIL PROTECTED] wrote:
So how could you validate it server-side?
-Original Message-
From: Leif K-Brooks [ mailto:[EMAIL PROTECTED]
Sent: Wednesday
Thanks! That's all I needed to know.
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:04 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
That's just not possible.
[EMAIL PROTECTED] wrote:
Swear
PROTECTED]
Sent: Wednesday, March 12, 2003 9:02 AM
Subject: RE: [PHP] Hacker problem
So we aren't actually validating where the data is coming from, we
are just validating the data?
-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:57
[EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY formI'm just picky like that. :-)
Hi,
I've done it via a ticket system
- into my form I've added field
input type=hidden name=ticket_to_ride value=32-byte long
generated ticket
-
:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 9:43 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Hacker problem
Importance: Low
[EMAIL PROTECTED] wrote:
Swear filtering is easy, I want to know how to make sure the data is
coming from MY formI'm just picky like
If you are really that strict about it coming from you site, have your
form
page create an image with five letter of number on it - like 4Y6O7. Have
it
create a new one each time. Then use crypt to encrypt it and put the
encrypted one into a form value, have the person that is submitting the
- A monthly magazine for PHP Professionals. Get your copy
today. http://www.phparch.com/
-Original Message-
From: Dennis Cole [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:54 PM
To: CPT John W. Holmes
Subject: RE: [PHP] Hacker problem
A script cannot read a number from
CPT John W. Holmes wrote:
This is no good unless you're saving the value server side somewhere. With
this method, I can still post to your page from anywhere, so long as I set
the two variables the same.
Who cares if the data came from your page, just validate it!
No matter what you do, it can be
20 matches
Mail list logo
