POST or GET?
Posted 18 September 2006 - 02:57 PM
Im trying to tighten up security on a login system and invoices.
Using GET, a user can type in crap in the address bar and maybe spoof an id that displays someone elses invoice.
If using POST - is this still possible? Can you spoof it and accidently bring up an invoice (for example) if it only requires an invoice number?
Posted 18 September 2006 - 03:09 PM
Some body may even be so determined as to save the source code of your page, alter it a little and use that to send the request.
There isn't much you can do to stop then trying - its what you do to stop them succedding that counts. The main worry is probably mysql injection - so on fields where that info is used in a query use mysql_escape_real_string to remove any potential injection attacks.
Posted 18 September 2006 - 03:12 PM
How is it done / stopped?
Many thanks - doing a bit of googling about it now...
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users