HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: R.B. Scholtus (regiment <email protected>)
Date: 09/12/00

• Next message: Albert Xin Jiang: "[phplib] ct_sql bug? (Was:Re:[phplib]duplitcated Session ID?)"
• Previous message: Markus Nuhnen: "[phplib] Problems with new_user_md5.php3 example..."
• In reply to: Jens Benecke: "Re: [phplib] Registering form variables"
• Next in thread: Jeff Stuart: "RE: [phplib] Registering form variables"
• Reply: Jeff Stuart: "RE: [phplib] Registering form variables"
• Reply: Jens Benecke: "Re: [phplib] Registering form variables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If users have telnet access they can read your database passwords and change
anything they want. we have discussed this before and the only solution is
to disable telnet access.

You can check the referrer and find out if the form data is from a local
file or from the real website, but you have a good point!!!

Brian

ps. what email program are you using? i receive all your mail as attachments
:-)

On Tue, Sep 12, 2000 at 11:46:11PM +0200, R.B. Scholtus wrote:

> You can also use POST vars to make sure the input is valid (=post data)
> and not user 'generated' (=get data). For example in order.php3:

er, what exactly prevents me from creating a local html file with a form
that does method=POST onto your results/processing page?

what prevents me from telnetting to the web server and then manually typing

POST doit.php3 .... etc

?

Sorry if I'm blind, but this is no solution for me ;)

--
`Man sollte dem Verantwortlichen für ILOVEYOU alles
http://www.linuxfaq.de
 mögliche antun, aber wahrscheinlich wird bloß
http://www.hitchhikers.de
 seine Firma zweigeteilt." -- Usenet
http://www.pinguin.conetix.de
----- Original Message -----
From: "Jens Benecke" <phplib <email protected>>
To: "Phplib <email protected> Netuse. De E-mail"" <phplib <email protected>>
Sent: Tuesday, September 12, 2000 11:56 PM
Subject: Re: [phplib] Registering form variables
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

• Next message: Albert Xin Jiang: "[phplib] ct_sql bug? (Was:Re:[phplib]duplitcated Session ID?)"
• Previous message: Markus Nuhnen: "[phplib] Problems with new_user_md5.php3 example..."
• In reply to: Jens Benecke: "Re: [phplib] Registering form variables"
• Next in thread: Jeff Stuart: "RE: [phplib] Registering form variables"
• Reply: Jeff Stuart: "RE: [phplib] Registering form variables"
• Reply: Jens Benecke: "Re: [phplib] Registering form variables"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]