safe form...

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Marco
    #1

    safe form...

    Hi,

    Suppose you want to make sure subitted data is comming from "your" form and
    not submitted (with tools) elsewhere.
    What do I need to prevent false/hacked/spoofed data?

    - register globals = off;
    - use $_HTTP["POST"]
    - check referrer with $_SERVER["HTTP_REFER ER"]

    are these settings 'air tight'? or (and how?) can it be overruled /
    circumvented??

    Regards,
    Marco



    Tags: None
    • Chris Hope
      #2
      Re: safe form...

      Marco wrote:

      You need to learn how to cross post and not multi post. That way when
      people reply to your post it goes to all the groups you posted to and
      you end up with one discussion thread instead of many...

      Here's my reply to your message in alt.comp.lang.p hp:
      [color=blue]
      > Suppose you want to make sure subitted data is comming from "your"
      > form and not submitted (with tools) elsewhere.
      > What do I need to prevent  false/hacked/spoofed data?
      >
      > - register globals  = off;
      > - use  $_HTTP["POST"][/color]

      $_HTTP["POST"] isn't a valid variable - you want $_POST["var_name_h ere"]
      [color=blue]
      > - check referrer with  $_SERVER["HTTP_REFER ER"][/color]

      Unfortunately you cannot rely on $_SERVER["HTTP_REFER ER"] as it can be
      blocked/unset by browser settings and other 3rd party software such as
      anti spy software, privacy software, ad blocking software etc. In some
      cases this is set to be blank and in other cases the site's domain
      name.

      And if someone is trying to see if they can do stuff to your site/server
      through a form post they'd quite easily be able to fake the referer
      anyway and make it look like they were posting from your page.
       [color=blue]
      > are these settings 'air tight'? or (and how?) can it be overruled /
      > circumvented??[/color]

      You could make the user enter the string value contained in a generated
      image and the value of the image is stored in a hidden field using a
      hashing algorithm like md5. When the form is submitted you compare the
      hash of their string with the hidden field. There are downsides to this
      as it can mean people are put off completing the form altogether and
      there are accessibilty issues as well.

      --
      Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

        Comment

        • Marco
          #3
          Re: safe form...

          You're right Chris..

          Thanx for your reply though :-)


          Marco


          "Marco" <dont_send{spam }[mps]@this.address[webmind.nl].please.com> schreef
          in bericht news:420272d3$0 $26225$18b6e80@ news.wanadoo.nl ...[color=blue]
          > Hi,
          >
          > Suppose you want to make sure subitted data is comming from "your" form
          > and
          > not submitted (with tools) elsewhere.
          > What do I need to prevent false/hacked/spoofed data?
          >
          > - register globals = off;
          > - use $_HTTP["POST"]
          > - check referrer with $_SERVER["HTTP_REFER ER"]
          >
          > are these settings 'air tight'? or (and how?) can it be overruled /
          > circumvented??
          >
          > Regards,
          > Marco
          >
          >
          >[/color]


            Comment

            Previous template Next
            Working...