jeff5656 Posted August 1, 2010 Share Posted August 1, 2010 I have a php page that processes a form. How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php"> and then passing their own variables? Do I set up a $session variable on my form page and assign it to $_SERVER["PHP_SELF"]? Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted August 1, 2010 Share Posted August 1, 2010 Even if you used a form token, all somebody would have to do is put that token into their form. You just have to validate everything that is posted. Do you know how to validate posted data? Quote Link to comment Share on other sites More sharing options...
magnetica Posted August 1, 2010 Share Posted August 1, 2010 So long as you check the data with PHP then everything should be ok. The only reason someone would make a copy form is to avoid client side validating easier. Plus you can't stop them from doing so.. After you filter the input, if you are going to output any tainted data then its always customary to escape the output before display.. Filter Input then Escape Output... and all your security problem will go away. Apart from some more complex websecurity issues Quote Link to comment Share on other sites More sharing options...
jeff5656 Posted August 1, 2010 Author Share Posted August 1, 2010 But lets say I want to update a user's profile <input name="id" type = hidden> and when I process it i do: $id = mysql_escape_string($_POST['id']; then update the table WHERE id = $id. How can I prevent someone from making a new form and using a different id in the hidden field? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 1, 2010 Share Posted August 1, 2010 I want to update a user's profile You would have an authentication system that both requires that the current visitor be logged in and that he have the necessary privileges to update the profile that the id belongs to. He would either need to be logged in as the user that owns the profile or as a administrator to your site. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.