On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzienos...@mckenzies.net wrote:
nashrul wrote:
This is a newbie question...
Let's say there are 3 php files, page1.php, page2.php and page3.php. Form
submission from page1.php or page2.php will take user to page3.php.
I know that we can use parameter that is appended in the action attribute of
the form (e.g FORM METHOD=POST ACTION=tes.php?var1=val1)
But I think, appending this parameter is transparent to the user, since it's
visible in the url.
And I think we can also use the hidden field or (form name ??.).
So which one is most secured and better ??
Thanks..
I personally don't see a problem with using get or post vars, but to
keep the user from being able to manipulate it do this. This could also
be in a header file included at the top of all pages:
//page1.php and page2.php
session_start();
$_SESSION['page'] = $_SERVER['PHP_SELF'];
//page3.php
session_start();
$page = $_SESSION['page']
// use $page somehow . . .
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
This approach degrades very simply:
1) Say you have four pages, a.php, b.php, c.php and d.php.
2) b expects user to come from a, d from c.
3) I open two tabs, a.php and c.php.
4) $_SESSION['from'] is now c.php
5) I post to b from a, get an error. $_SESSION['from'] is now b.php.
6) I post to d from c and get an error.
Obviously this example is a tad bit contrived, but as long as your
user is browsing your site in more than one tab/window, using that
approach will break often and result in a user experience, so I'd
stick away from it.
As far as relying on cookies, HTTP headers, hidden form fields, etc.
they are all user input, and Lesson 1 in Security 101 that you don't
trust user input. Ever. I always assume that the best HTTP blackhats
are after my sites when I write them and make them unnecessarily
overthought, but they're secure. I even let a few
(black|white|grey)hat friends of mine take a peak at the code, when I
can, to get their input. If you can think of a way to exploit your
code, so can someone else. And so will someone else.
Generally speaking, I'm not entirely sure that this is a question that
even needs an answer. I'm going to have to echo a sentiment from
earlier in the thread that you need to be validating all of your data
anyway, so it shouldn't matter if I POST to page3 from page2 or from
page1 or from a CLI app written with curl/wget. What should matter is
whether or not the data I'm POST'ing meets the security criteria that
you've dictated (whatever that may be) and gets properly
escaped/filtered before being entered into the database or otherwise
used. I'd venture so far as to say that if you need to care about
where a form is POST'd from for security, you have a flawed security
model and in all likelihood a very insecure application and some
serious refactoring to do.
I can't imagine a situation where dictating page2 comes from page1 and
page3 comes from page2 is necessary for security at all. Perhaps I'm
being shortsited and you can provide some examples?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php