safe form...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Suppose you want to make sure subitted data is comming from "your" form and
not submitted (with tools) elsewhere.
What do I need to prevent  false/hacked/spoofed data?

- register globals  = off;
- use  $_HTTP["POST"]
- check referrer with  $_SERVER["HTTP_REFERER"]

are these settings 'air tight'? or (and how?) can it be overruled /


Re: safe form...

Marco wrote:

You need to learn how to cross post and not multi post. That way when
people reply to your post it goes to all the groups you posted to and
you end up with one discussion thread instead of many...

Here's my reply to your message in alt.comp.lang.php:

Quoted text here. Click to load it

$_HTTP["POST"] isn't a valid variable - you want $_POST["var_name_here"]

Quoted text here. Click to load it

Unfortunately you cannot rely on $_SERVER["HTTP_REFERER"] as it can be
blocked/unset by browser settings and other 3rd party software such as
anti spy software, privacy software, ad blocking software etc. In some
cases this is set to be blank and in other cases the site's domain

And if someone is trying to see if they can do stuff to your site/server
through a form post they'd quite easily be able to fake the referer
anyway and make it look like they were posting from your page.

Quoted text here. Click to load it

You could make the user enter the string value contained in a generated
image and the value of the image is stored in a hidden field using a
hashing algorithm like md5. When the form is submitted you compare the
hash of their string with the hidden field. There are downsides to this
as it can mean people are put off completing the form altogether and
there are accessibilty issues as well.

Chris Hope - The Electric Toolbox - /

Re: safe form...

You're right Chris..

Thanx for your reply though :-)


Quoted text here. Click to load it

Site Timeline