PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Book Review: Pro PHP, XML and Web Services
In Case You Missed It...The Week of November 28th, 2005
Dynamic Document Search Engine - Part 2
Beginning PHP: One Goal at a Time
Installing PHP-GTK on Linux

RE: [phplib] Registering form variables From: Jeff Stuart (jstuart <email protected>)
Date: 09/12/00

Next message: Pat McCarthy: "[phplib] session timing out"
Previous message: Albert Xin Jiang: "[phplib] ct_sql bug? (Was:Re:[phplib]duplitcated Session ID?)"
In reply to: R.B. Scholtus: "Re: [phplib] Registering form variables"
Next in thread: Jens Benecke: "Re: [phplib] Registering form variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In this case, he meant telnetting to port 80 on the web server and then
typing in the post command. This can be a good debugging tool when things
aren't working. :) Personally, what I do is verify the data that they've
sent in and if I need it for multiple forms, I'll put them into the session
AFTER I've sanitized the data.

-- Jeff (FurBall) WebOverdrive Newbie Tech Board http://www.topniche.com/tech/ furball <email protected>

-----Original Message----- From: R.B. Scholtus [mailto:regiment <email protected>] Sent: Tuesday, September 12, 2000 6:59 PM To: Jens Benecke; Phplib <email protected> Netuse. De E-mail" Subject: Re: [phplib] Registering form variables

If users have telnet access they can read your database passwords and change anything they want. we have discussed this before and the only solution is to disable telnet access.

You can check the referrer and find out if the form data is from a local file or from the real website, but you have a good point!!!

Brian

ps. what email program are you using? i receive all your mail as attachments :-)

On Tue, Sep 12, 2000 at 11:46:11PM +0200, R.B. Scholtus wrote:

> You can also use POST vars to make sure the input is valid (=post data) > and not user 'generated' (=get data). For example in order.php3:

er, what exactly prevents me from creating a local html file with a form that does method=POST onto your results/processing page?

what prevents me from telnetting to the web server and then manually typing

POST doit.php3 .... etc

Sorry if I'm blind, but this is no solution for me ;)

-- `Man sollte dem Verantwortlichen f�r ILOVEYOU alles http://www.linuxfaq.de m�gliche antun, aber wahrscheinlich wird blo� http://www.hitchhikers.de seine Firma zweigeteilt." -- Usenet http://www.pinguin.conetix.de

----- Original Message ----- From: "Jens Benecke" <phplib <email protected>> To: "Phplib <email protected> Netuse. De E-mail"" <phplib <email protected>> Sent: Tuesday, September 12, 2000 11:56 PM Subject: Re: [phplib] Registering form variables

--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>

Next message: Pat McCarthy: "[phplib] session timing out"
Previous message: Albert Xin Jiang: "[phplib] ct_sql bug? (Was:Re:[phplib]duplitcated Session ID?)"
In reply to: R.B. Scholtus: "Re: [phplib] Registering form variables"
Next in thread: Jens Benecke: "Re: [phplib] Registering form variables"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]