matfish Posted September 18, 2006 Share Posted September 18, 2006 Hi,Im trying to tighten up security on a login system and invoices.Using GET, a user can type in crap in the address bar and maybe spoof an id that displays someone elses invoice.If using POST - is this still possible? Can you spoof it and accidently bring up an invoice (for example) if it only requires an invoice number? Many thanks Link to comment https://forums.phpfreaks.com/topic/21156-post-or-get/ Share on other sites More sharing options...
ToonMariner Posted September 18, 2006 Share Posted September 18, 2006 everything is sent by headers - you can manipulate these headers to you own ends.Some body may even be so determined as to save the source code of your page, alter it a little and use that to send the request.There isn't much you can do to stop then trying - its what you do to stop them succedding that counts. The main worry is probably mysql injection - so on fields where that info is used in a query use mysql_escape_real_string to remove any potential injection attacks. Link to comment https://forums.phpfreaks.com/topic/21156-post-or-get/#findComment-93997 Share on other sites More sharing options...
matfish Posted September 18, 2006 Author Share Posted September 18, 2006 Whats an injection attack? How is it done / stopped?Many thanks - doing a bit of googling about it now... Link to comment https://forums.phpfreaks.com/topic/21156-post-or-get/#findComment-93999 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.