Jump to content

Archived

This topic is now archived and is closed to further replies.

Ninjakreborn

Very Strange inquiry\question

Recommended Posts

I just realized something, I was building my script, and trying to access a database variable on another page and I just realized something.
What I was under the impression was, when you have a form, for instance, and you click submit, all php variables are carried over to that page.  I also thought, like if you had a master page with like 10 includes, all with functions and variables, Then you have a form, that submits to another page, I thought that other page would have access to all of that, but it turns out that the form doesn't and NOW I understand why the need for hidden form fields.  I was creating a admin page, and no matter what I couldn't get it to work on the same page, so I changed it over to it's own page, but it wasn't reading my variables, I had to use a hidden form field, why is it set up like this, I never noticed until recently.
Also I had a security question
If someone has a form, and it's going to something.php to get processed
And on something.php it says
if (isset($submitorsomeothervariable)) {
// code to validate input
// Code to update a database, and possibly provide password informaiton if the information was registered right
// whatever
}
can't someone from even another website, like my website
www.freelancebusinessman.com
Can't I create a page on my site, www.freelancebusinessman.com/test.php or htm
and then create a quick form
and have it going to that website like
www.website.com/processors/something.php
as my action, if my form has the same submit name as the other processor.
Won't my form hijack the processor and start running script off of it, I don't see any safety precautions that could prevent my script from hijacking that script, because the only thing in the script is if(isset($variable)  So if the variable is set the script runs, period, is this the case.

Share this post


Link to post
Share on other sites
you can create a form on your site and set the action to send the data to another website's processing form. But you're not really hijacking their processing script - you're just sending data to it, as if you had used the form on their own site.

for example, put this code on your site:[code]<FORM ACTION="http://www.weather.com/search/enhanced" METHOD="get" NAME="whatwhere">
<INPUT TYPE="hidden" NAME="whatprefs" VALUE="">
<INPUT TYPE="hidden" NAME="what" VALUE="WeatherLocalUndeclared">
<INPUT TYPE="hidden" NAME="lswe">
<INPUT TYPE="hidden" NAME="lswa">
<INPUT TYPE="hidden" NAME="from" VALUE="whatwhere">
<INPUT TYPE="TEXT" NAME="where" VALUE="Enter city or US zip"  onFocus="this.value='';">
</form>[/code]
when you use the form, it process from the weather channel website.


as far as security, they should be smart enough to parse through any $_POST data that comes to that script, to clean out malicious code that could be sent.  This is why server side validation is important.

Share this post


Link to post
Share on other sites
Ah so that would be the way also to access stock exchange information from someone's server, when they have a free service, like if someone asked me to get updated stock exchange information, I could just access there website, through a script like that.  Thanks.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.