Jump to content

security question regarding processing forms


jeff5656

Recommended Posts

I have a php page that processes a form.  How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php">

 

and then passing their own variables?

 

Do I set up a $session variable on my form page and assign it to  $_SERVER["PHP_SELF"]?

Link to comment
Share on other sites

So long as you check the data with PHP then everything should be ok. The only reason someone would make a copy form is to avoid client side validating easier. Plus you can't stop them from  doing so..

 

After you filter the input, if you are going to output any tainted data then its always customary to escape the output before display..

 

Filter Input then Escape Output... and all your security problem will go away. Apart from some more complex websecurity issues

Link to comment
Share on other sites

But lets say I want to update a user's profile

<input name="id" type = hidden>

 

and when I process it i do:

 

$id = mysql_escape_string($_POST['id'];

 

then update the table WHERE id = $id.

 

How can I prevent someone from making a new form and using a different id in the hidden field?

Link to comment
Share on other sites

I want to update a user's profile

 

You would have an authentication system that both requires that the current visitor be logged in and that he have the necessary privileges to update the profile that the id belongs to. He would either need to be logged in as the user that owns the profile or as a administrator to your site.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.