Re: [phplib] Registering form variables From: Maurice Jumelet (maurice <email protected>)
Date: 09/12/00

I'll give an example:
Suppose you have an shop with an item shoe (price $35)

and you have a form:
<FORM action="http://domain.com/order.php3">
Amount<INPUT TYPE="text" NAME="order_amount">
<INPUT TYPE="HIDDEN" NAME="itm_id" VALUE="1001">
<INPUT TYPE="HIDDEN" NAME="price" VALUE="35">
</FORM>

problem with this is, that you cannot trust the internet user, for a
malicious user it would be easy to order this shoe for an other price bij
simply going to http://domain.com/order.php3?amount=1&itm_id=1001&price=10

What you should do is use the ID for the product id and lookup up the price
in your database in the order.php3 script.

Hope this helps,
Maurice
NOXX.com

----- Original Message -----
From: Rex Byrns <rexb <email protected>>
To: Phplib <email protected> Netuse. De (E-mail) <phplib <email protected>>
Sent: Tuesday, September 12, 2000 9:42 PM
Subject: [phplib] Registering form variables

>
> I would like for someone to explain the use of form variables in sessions.
> The manual distinctly points out that you should never trust unvalidated
> user input from the internet. I repeatedly see chances to benefit greatly
> from registering form variables. A shopping cart uses "form variables" to
> track purchases. What exactly is the difference? Are these warnings only
> for the scary stuff like user names, passwords, addresses, etc?
>
> Thanks
> Rex
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>