bulgin Posted March 19, 2009 Share Posted March 19, 2009 I have just spent much time constructing an application only to find out that if I use Tamper Data I can forge input values to the database for fields that were supposed to be 'read only'. What is the general methodology for preventing a user from inputting values through a tool like 'Tamper Data'? If I ssl enable the site would that help? Thanks. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 19, 2009 Share Posted March 19, 2009 All external data cannot be trusted and must be validated once it reaches the web server to make sure it is what you expect. If you are doing something like passing important data using hidden fields in forms, that data must be validated and if you expect it to be safe from tampering, you should not pass it through the browser but should instead pass it through session variables so that it is not in the hands of the visitor/hacker. If you have a specific problem, post details to get the most direct solution. Quote Link to comment Share on other sites More sharing options...
bulgin Posted March 19, 2009 Author Share Posted March 19, 2009 Thanks for your reply, PFMaBiSmAd. I'm not much of a php or mysql guru but understand basic principles. So if I wrap values in variables then that information won't be visibly sent to the browser? Put another way, what is the general method of passing data to session variables from my application? And if I do that, you are saying this information -- in my case MySQL field names are visible in the 'tamper data' application -- will no longer show up in the 'tamper data' application? Thank you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.