 |
 |
Find a programming school near you
php3-list | 199908
Date: 08/30/99
- Next message: pp: "[PHP3] Apache Win 32 + PHP"
- Previous message: Duncan Kinder: "[PHP3] PHP Will Not Work"
- Next in thread: Richard Lynch: "Re: [PHP3] Security Questions (long post)"
- Reply: Richard Lynch: "Re: [PHP3] Security Questions (long post)"
- Reply: Kristian Köhntopp: "Re: [PHP3] Security Questions (long post)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have posted this quite a few months ago, and recieved some valuable
replies. Sorry for the repost, but I just wanted to hear any final opinions
on this before I finish my work.
First, let me mention, I cannot use an apache or unix security features, as
my project (diploma thesis) must run under windows and linux (which works
perfectly) and using any web server (works theoretically).
I have two scripts, lets call them page1.php3 and script1.php3. Page1.php3
just displays a normal HTML Page by getting a few things from a database. On
this page, Page1.php3 there is a form, which calls the page (Page1.php3)
itself when the user clicks on the submit button. Now I need to execute some
code when this is done, and _only_ when the user clicks on the submit
button. So i am doing something like this:
Page1.php3
[... unimportant stuff ...]
$securityvar = 9331;
if ((isset($HTTP_POST_VARS)) and
(GetCleanURL($HTTP_REFERER) ==
"http://$SERVER_NAME:$SERVER_PORT$REQUEST_URI")) {
include("scripts/handle_newuser1.php3");
}
[ ... unimportant stuff ... ]
<HTML>
...
<FORM ACTION="page1.php3">
...
</FORM>
</HTML>
Script1.php3 looks like this:
if ((!isset($HTTP_POST_VARS)) or
(GetCleanURL($HTTP_REFERER) !=
"http://$SERVER_NAME:$SERVER_PORT$REQUEST_URI") or
(!is_int($securityvar)) or
(basename($REQUEST_URI) != "newuser1.php3")) {
Header("shared/error/403.php3");
Exit;
}
[ ... unimportant stuff ... ]
Note: GetCleanURL just rips off eventual ?key=value pairs.
My questions now:
- Is this safe ? : Script1.php3 must only be executed if it is called from
page1.php3 not from any other page, not even on the same server and not from
any other server.
- Is there any way to "cheat" this code ?
- Any better ideas (and i am sure there are some).
Please remember, this is a diploma thesis, so I have to do some of this
"unusual" stuff, as a diploma thesis is an academic project and [ bla bla
bla ] :) I know it would be much easier if i could use apache security
features, but I can't.
I am greatful for any hints/suggestions/commments/flames.
Thanx
/CFe
-- PHP 3 Mailing List <http://www.php.net/> To unsubscribe, send an empty message to php3-unsubscribe <email protected> To subscribe to the digest, e-mail: php3-digest-subscribe <email protected> To search the mailing list archive, go to: http://www.php.net/mailsearch.php3 To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: pp: "[PHP3] Apache Win 32 + PHP"
- Previous message: Duncan Kinder: "[PHP3] PHP Will Not Work"
- Next in thread: Richard Lynch: "Re: [PHP3] Security Questions (long post)"
- Reply: Richard Lynch: "Re: [PHP3] Security Questions (long post)"
- Reply: Kristian Köhntopp: "Re: [PHP3] Security Questions (long post)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
