Thanks guys now i know what must i do :)
Chris Shiflett escribió:
Stut wrote:
You could put a hash value into a hidden field on the form, and
also store it in the session. When the form is submitted only
accept it if the hashes match.
However, this is very easy to get around, so I suggest you
consider why you think you need this level of checking. Assuming
you're properly validating and escaping all input coming from
outside the app, IMHO this type of security should not be needed.
It can useful when you want to verify intent, which is an important
consideration these days:
http://shiflett.org/articles/cross-site-request-forgeries
(I have an update that I need to publish, but this should be enough to
explain the potential problems this technique can help prevent.)
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
