On Thu, March 29, 2007 10:06 am, Daniel Brown wrote:
Just wondering how many of you actually use any type of secure
coding
when doing form processing.
Always.
For all new code.
I can't possibly go back and re-write every script everywhere I ever
wrote over the past decade, though...
On Thu, March 29, 2007 10:25 am, cajbecu wrote:
And even then, some smart programmers are probably going to find a
way
to read your image code :)
that, of course, if your app will be an interface to client`s bank
account, with online management. :)
One does have to balance Risk with the
Just wondering how many of you actually use any type of secure coding
when doing form processing. I'm guilty of not doing it all the time myself,
but I'm trying to get into the habit of doing so. For example, I don't want
someone else modifying a form to auto-post values to my handler, so I
?
if($_POST eregi(getenv(SERVER_NAME),getenv(HTTP_REFERER))) {
// This is a safe POST
} elseif(!eregi(getenv(SERVER_NAME),getenv(HTTP_REFERER))) {
die(Illegal access. Your IP has been logged.\n);
}
?
it is not safe. i can use curl (www.php.net/curl) and modify
Many legitimate users will have their referrer blocked by proxies or by
browser preference so you'll also have false negatives.
Arpad
cajbecu wrote:
?
if($_POST eregi(getenv(SERVER_NAME),getenv(HTTP_REFERER))) {
// This is a safe POST
}
On 3/29/07, cajbecu [EMAIL PROTECTED] wrote:
?
if($_POST eregi(getenv(SERVER_NAME),getenv(HTTP_REFERER))) {
// This is a safe POST
} elseif(!eregi(getenv(SERVER_NAME),getenv(HTTP_REFERER))) {
die(Illegal access. Your IP has been logged.\n);
}
?
it is not safe.
And even then, some smart programmers are probably going to find a way
to read your image code :)
that, of course, if your app will be an interface to client`s bank
account, with online management. :)
cajb.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
Good topic. It's touched on here and there in other questions, but always good
to hit it head-on from time to time too.
First, mysql_real_escape_string() for inserting into MySQL and whatever equiv
you can find for whatever other database you may be using. addslashes() isn't
so hot for
You can pass session ID data via the URL. Ugly as it is, that's a viable
option (that I see used a lot actually.. kinda drives me nuts but I understand
it) for when you don't have people logging in and/or can't guarentee that
cookies will be available.
As was mentioned a few times, CAPTCHA
At 5:18 PM +0200 3/29/07, Tijnema ! wrote:
I've discussed the problems with using image code (CAPTCHA) in another
post on this list. So then you would create a script of 100+ lines to
do it :)
And even then, some smart programmers are probably going to find a way
to read your image code :)
10 matches
Mail list logo
