matfish Posted September 18, 2006 Share Posted September 18, 2006 Hi,Im trying to tighten up security on a login system and invoices.Using GET, a user can type in crap in the address bar and maybe spoof an id that displays someone elses invoice.If using POST - is this still possible? Can you spoof it and accidently bring up an invoice (for example) if it only requires an invoice number? Many thanks Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted September 18, 2006 Share Posted September 18, 2006 everything is sent by headers - you can manipulate these headers to you own ends.Some body may even be so determined as to save the source code of your page, alter it a little and use that to send the request.There isn't much you can do to stop then trying - its what you do to stop them succedding that counts. The main worry is probably mysql injection - so on fields where that info is used in a query use mysql_escape_real_string to remove any potential injection attacks. Quote Link to comment Share on other sites More sharing options...
matfish Posted September 18, 2006 Author Share Posted September 18, 2006 Whats an injection attack? How is it done / stopped?Many thanks - doing a bit of googling about it now... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.