Woad.php Posted January 14, 2007 Share Posted January 14, 2007 How can I be sure that when I send data with the POST method it won't be changed? Quote Link to comment Share on other sites More sharing options...
fert Posted January 14, 2007 Share Posted January 14, 2007 You would have to make sure that the submit button was pressed, Quote Link to comment Share on other sites More sharing options...
Woad.php Posted January 14, 2007 Author Share Posted January 14, 2007 What? That doesn't make sense, it wouldn't even send it if the button wasn't pressed. Quote Link to comment Share on other sites More sharing options...
mattd8752 Posted January 14, 2007 Share Posted January 14, 2007 You would have to check http_reffer. Checking the submit button would just make a hacker put the submit button on their simulation page, or even curl it that way. Quote Link to comment Share on other sites More sharing options...
Hypnos Posted January 15, 2007 Share Posted January 15, 2007 You're asking when "you" send data? Are you worried about data collisions?But then you say "security", which makes me think you're asking how you know that users aren't modifying POST data when it's sent to you.If you're question is the second one, as the users who replied above seem to think, let me say this..POST data is not to be trusted. Checking refer won't help. POST data is just as modifiable as GET data. People seem to have this awful misconception that it's more secure because the average browser won't show it. But, with the right tool, you can modify it just as easy. Even over SSL.POST, GET, and cookie data is never to be trusted. They are all editable by the user.So, you have to put checks in your code, after you've received the POST data, to make sure the values are the range and type that they should be. Quote Link to comment Share on other sites More sharing options...
btherl Posted January 15, 2007 Share Posted January 15, 2007 To add to what Hypnos said, if you want a simple way to store trusted data for the short term, use sessions. With sessions, you can be sure that the data you put in is what you get out.BUT, keep in mind that the name of the session is not 100% secure. Someone can monitor another user's session, take their session name and take over the session. It's not easy but it's possible.But the data inside the session can only be modified by your scripts. Quote Link to comment Share on other sites More sharing options...
SweetLou Posted January 15, 2007 Share Posted January 15, 2007 Also, you can't be sure that what was sent by POST is what you wrote. I could easily make a form on my home computer and send it to your PHP file to process. As stated above, checking the referrer won't help since that can be altered by me.But the main reason I am replying is besides the above mentioned methods to check all data, if you are going to store this information, remember to escape characters so that malicios code won't be ran on your database. I prefer mysql_real_escape_string() and a couple of others. This should be done on ALL data your receive, even if the form is a dropdown list, a submit button, hidden or any other type. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.