Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- cosmic foo
July 19, 2005, 3:42 pm
rate this thread
can be posted, it's up to the receiving page
to deal with what it receives?
So one may as well assume that a hacker
can figure out what a page expects or
doesn't expect to receive, and post
whatever they feel like trying.
So it would be incorrect to assume that
just because someone cannot get to a page,
that they cannot post to the page that it posts to.
So it's important to put as much security as
possible into the page being posted to, and
thinking that hidden form fields are actually
hiding anything is a mistake, and creating any
sort of generic post page that updates records
in a database may be impossible to secure.
At the very least, one should verify that the
current user has the right to update a particular
record in a particular table, and then one
might want to keep an audit trail, as well as
take some measure to inhibit page scraping.
Re: posting form info to a page
I disagree. Every server-side application/script
must sanitize and validate its input. All variables.
It should check the input is syntactically correct
(eg. only numbers) and it has a correct meaning
(eg. a valid email address).
Additionally you may authenticate users before
submitting data to your database, thus you may
track your rude users down.