Jump to content


Photo

Very Strange inquiry\question


  • Please log in to reply
2 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 10 July 2006 - 01:40 PM

I just realized something, I was building my script, and trying to access a database variable on another page and I just realized something.
What I was under the impression was, when you have a form, for instance, and you click submit, all php variables are carried over to that page.  I also thought, like if you had a master page with like 10 includes, all with functions and variables, Then you have a form, that submits to another page, I thought that other page would have access to all of that, but it turns out that the form doesn't and NOW I understand why the need for hidden form fields.  I was creating a admin page, and no matter what I couldn't get it to work on the same page, so I changed it over to it's own page, but it wasn't reading my variables, I had to use a hidden form field, why is it set up like this, I never noticed until recently.
Also I had a security question
If someone has a form, and it's going to something.php to get processed
And on something.php it says
if (isset($submitorsomeothervariable)) {
// code to validate input
// Code to update a database, and possibly provide password informaiton if the information was registered right
// whatever
}
can't someone from even another website, like my website
www.freelancebusinessman.com
Can't I create a page on my site, www.freelancebusinessman.com/test.php or htm
and then create a quick form
and have it going to that website like
www.website.com/processors/something.php
as my action, if my form has the same submit name as the other processor.
Won't my form hijack the processor and start running script off of it, I don't see any safety precautions that could prevent my script from hijacking that script, because the only thing in the script is if(isset($variable)  So if the variable is set the script runs, period, is this the case.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 micah1701

micah1701
  • Members
  • PipPipPip
  • Advanced Member
  • 613 posts
  • LocationEllington, CT USA

Posted 10 July 2006 - 01:57 PM

you can create a form on your site and set the action to send the data to another website's processing form. But you're not really hijacking their processing script - you're just sending data to it, as if you had used the form on their own site.

for example, put this code on your site:
<FORM ACTION="http://www.weather.com/search/enhanced" METHOD="get" NAME="whatwhere">
<INPUT TYPE="hidden" NAME="whatprefs" VALUE="">
<INPUT TYPE="hidden" NAME="what" VALUE="WeatherLocalUndeclared">
<INPUT TYPE="hidden" NAME="lswe">
<INPUT TYPE="hidden" NAME="lswa">
<INPUT TYPE="hidden" NAME="from" VALUE="whatwhere">
<INPUT TYPE="TEXT" NAME="where" VALUE="Enter city or US zip"  onFocus="this.value='';">
</form>
when you use the form, it process from the weather channel website.


as far as security, they should be smart enough to parse through any $_POST data that comes to that script, to clean out malicious code that could be sent.  This is why server side validation is important.
"Confidence in the face of risk."

#3 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 10 July 2006 - 02:08 PM

Ah so that would be the way also to access stock exchange information from someone's server, when they have a free service, like if someone asked me to get updated stock exchange information, I could just access there website, through a script like that.  Thanks.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users