 |
 |
 |
 |
|
|
Date: 09/12/00
- Next message: Jens Benecke: "Re: [phplib] Registering form variables"
- Previous message: Maurice Jumelet: "Re: [phplib] Registering form variables"
- In reply to: Maurice Jumelet: "Re: [phplib] Registering form variables"
- Next in thread: Jens Benecke: "Re: [phplib] Registering form variables"
- Reply: Jens Benecke: "Re: [phplib] Registering form variables"
- Reply: Maurice Jumelet: "Re: [phplib] Registering form variables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
You can also use POST vars to make sure the input is valid (=post data) and
not user 'generated' (=get data). For example in order.php3:
$total = $HTTP_POST_VARS["price"] * (int)$HTTP_POST_VARS["order_amount"];
echo "<p>total price: $total";
which probably saves you a query. Just make sure track vars = on.
Brian
ps. Maybe its interesting to check phpinfo() for HTTP_GET_VARS,
HTTP_POST_FILES, HTTP_SERVER_VARS also.
Ive written some functions that generate queries based on HTTP_POST_VARS,
which is convienent and save. Email me if you want to take a look.
----- Original Message -----
From: "Maurice Jumelet" <maurice <email protected>>
To: "Rex Byrns" <rexb <email protected>>; "Phplib <email protected> Netuse. De (E-mail)"
<phplib <email protected>>
Sent: Tuesday, September 12, 2000 11:30 PM
Subject: Re: [phplib] Registering form variables
> I'll give an example:
> Suppose you have an shop with an item shoe (price $35)
>
> and you have a form:
> <FORM action="http://domain.com/order.php3">
> Amount<INPUT TYPE="text" NAME="order_amount">
> <INPUT TYPE="HIDDEN" NAME="itm_id" VALUE="1001">
> <INPUT TYPE="HIDDEN" NAME="price" VALUE="35">
> </FORM>
>
> problem with this is, that you cannot trust the internet user, for a
> malicious user it would be easy to order this shoe for an other price bij
> simply going to http://domain.com/order.php3?amount=1&itm_id=1001&price=10
>
> What you should do is use the ID for the product id and lookup up the
price
> in your database in the order.php3 script.
>
> Hope this helps,
> Maurice
> NOXX.com
>
> ----- Original Message -----
> From: Rex Byrns <rexb <email protected>>
> To: Phplib <email protected> Netuse. De (E-mail) <phplib <email protected>>
> Sent: Tuesday, September 12, 2000 9:42 PM
> Subject: [phplib] Registering form variables
>
>
> >
> > I would like for someone to explain the use of form variables in
sessions.
> > The manual distinctly points out that you should never trust unvalidated
> > user input from the internet. I repeatedly see chances to benefit
greatly
> > from registering form variables. A shopping cart uses "form variables"
to
> > track purchases. What exactly is the difference? Are these warnings
only
> > for the scary stuff like user names, passwords, addresses, etc?
> >
> > Thanks
> > Rex
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> > For additional commands, e-mail: phplib-help <email protected>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: phplib-unsubscribe <email protected>
> For additional commands, e-mail: phplib-help <email protected>
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>
- Next message: Jens Benecke: "Re: [phplib] Registering form variables"
- Previous message: Maurice Jumelet: "Re: [phplib] Registering form variables"
- In reply to: Maurice Jumelet: "Re: [phplib] Registering form variables"
- Next in thread: Jens Benecke: "Re: [phplib] Registering form variables"
- Reply: Jens Benecke: "Re: [phplib] Registering form variables"
- Reply: Maurice Jumelet: "Re: [phplib] Registering form variables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]