 |
 |
 |
 |
|
|
Date: 09/13/00
- Next message: Jens Benecke: "Re: [phplib] Registering form variables"
- Previous message: Rex Byrns: "RE: [phplib] A different Perm scheme"
- In reply to: layne <email protected>: "RE: [phplib] Registering form variables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, Sep 13, 2000 at 09:23:36AM -0500, layne <email protected> wrote:
> > It may be a bit different but it is still possible to fake the
> > web-server (all you need to do is create a new html page local and load
> > it in your browser)
> This is why multiple tests are necessary for form validation. An
> additional test that helps here is to make sure that the HTTP_REFERER is
> a valid page at your domain - if /form.html posts to form.php, then
> form.php would check ereg('domain.tld/form.html', $HTTP_REFERER) as well
> as $HTTP_POST_VARS[field_name].
That breaks as soon as your client comes through a proxy, or uses a browser
which does not even generate a Referer: header.
And POST vars are no security either, as I explained in another posting.
The only somewhat secure method would be to squeeze all vars through a
tight regexp before letting them touch your database. That's what I do in
most of my projects.
-- `Man sollte dem Verantwortlichen für ILOVEYOU alles http://www.linuxfaq.de mögliche antun, aber wahrscheinlich wird bloß http://www.hitchhikers.de seine Firma zweigeteilt." -- Usenet http://www.pinguin.conetix.de
- application/pgp-signature attachment: stored
- Next message: Jens Benecke: "Re: [phplib] Registering form variables"
- Previous message: Rex Byrns: "RE: [phplib] A different Perm scheme"
- In reply to: layne <email protected>: "RE: [phplib] Registering form variables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]