bill bratske Posted May 24, 2009 Share Posted May 24, 2009 I'm working on filtering form data according to the PHP Consurtiom's http://phpsec.org/projects/guide/1.html#1.2 recommendations, and I had a question about it. Is it good form to do the form filtering this way?: //Filter form data switch ($_POST['form']) { case 'thisform': $allowed = array(); $allowed[] = 'form'; $allowed[] = 'x'; $allowed[] = 'y'; $sent = array_keys($_POST); if ($allowed != $sent) { //reditect away header("location:login-failure.php"); exit(); } break; } //end switch //Rest of code that processes data including.. $x = $_POST['x']; $y = $_POST['y']; The reason I ask is because I was doing it this way, and then it occurred to me that maybe the form could still be spoofed using the same form that just didn't include the value 'thisform' in the hidden 'form' input field... What I mean is, if the form didn't include 'thisform' and never made the criteria for the case statement to process it, would the page just accept the fake form because the rest of the page processes anyways? Thanks. Link to comment https://forums.phpfreaks.com/topic/159496-solved-question-about-form-filtering/ Share on other sites More sharing options...
bill bratske Posted May 24, 2009 Author Share Posted May 24, 2009 OK I'm an idiot . I was right that it will process a fake form, I don't know why I didn't just set up a test before I posted... Im trying to mark this sovled but I cant figure out how... lol Link to comment https://forums.phpfreaks.com/topic/159496-solved-question-about-form-filtering/#findComment-841345 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.