[PHP] Form security
Since nobody answered my last question (or any of them for that matter). Let me rephrase it a little different. Other then checking the referer (to make sure the posted data came from the right page) and user agent (to see if it exists), is there any other way to secure a form from having other forms submitting to it? -dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Form security
Another way to do this is to have a form element with an odd name and value that you can check for before processing the post. This is not too secure if someone knows the name and value though. In that case you can use the referer _and_ a unique element name and value that is related to the referer. Checking for these items before processing the form should be pretty good. James -Original Message- From: phpman [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 24, 2001 10:04 AM To: [EMAIL PROTECTED] Subject: [PHP] Form security Since nobody answered my last question (or any of them for that matter). Let me rephrase it a little different. Other then checking the referer (to make sure the posted data came from the right page) and user agent (to see if it exists), is there any other way to secure a form from having other forms submitting to it? -dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form security
Are you using sessions? You can register a tracking variable on the form page and then check that variable on the processing page. If the posted data comes from any page other than the one that you want it to, the variable will not be set. Not 100% sure, but I think this covers what you've asked. Pete. phpman [EMAIL PROTECTED] wrote in message 9ejeqp$gm7$[EMAIL PROTECTED]">news:9ejeqp$gm7$[EMAIL PROTECTED]... Other then checking the referer (to make sure the posted data came from the right page) and user agent (to see if it exists), is there any other way to secure a form from having other forms submitting to it? -dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form security
Hi, you could use an additional parameter containing a checksum of the entire URL, that you check at the beginning. Of course, somebody with the right motivation could find out your checksum scheme (I would use a subset of the md5 function), but at least it won't be simple anymore. You could also use a Session ID that you generate somewhere on your site (usually the start page). You pass that along to the form and check it for validity. PHP 4 supports sessions. Hope this helps. Greetings, Michael. Since nobody answered my last question (or any of them for that matter). Let me rephrase it a little different. Other then checking the referer (to make sure the posted data came from the right page) and user agent (to see if it exists), is there any other way to secure a form from having other forms submitting to it? -dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Form security
I'm not trying to keep my script secure, I'm trying to get into another script, using cURL. I sent all of the POST fields, set my REFERER to be their referer page, even set my AGENT to be ie 5 on a Win2K box. Damn script is still not returning the right screen. When I copy the HTML code to my machine and run it locally (adjusting the FORM ACTION= to the remote script url) it works. I can even change the same form around and point it one of my scripts that prints every POST var out, I got them all. I checked for cookies - none. I'm not doing this to do anything illegal. I'm trying to link with this script... http://wwwapps.ups.com/servlet/QCCServlet to get shipping info (their XML integration is impossible with PHP - PHP cannot do it). This makes no sense to me, I can't think of anything I'm missing. I've gone through my code for typos and case sensitivities - even the order the POST vars are sent in is the same! Aauuugg! -dave phpman [EMAIL PROTECTED] wrote in message 9ejeqp$gm7$[EMAIL PROTECTED]">news:9ejeqp$gm7$[EMAIL PROTECTED]... Since nobody answered my last question (or any of them for that matter). Let me rephrase it a little different. Other then checking the referer (to make sure the posted data came from the right page) and user agent (to see if it exists), is there any other way to secure a form from having other forms submitting to it? -dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
