I want to use something safer than URL encoded variables.
Moderator: General Moderators
I want to use something safer than URL encoded variables.
I have been thinking about this for quite a while... I believe that URL
encoded passing of variables leaves too many open avenues from
would-be attackers. Is there someone out there that could shed some
light on possible ways of I can accomplish the safe passing of variables
between form submissions. I have tried using Hidden fields, but it
becomes too much of a hassle. I was thinking of getting all the variables
I am to pass and placing them in an array and then passing the array
URL encoded or a class perhaps... I dunno.... which is why I am asking
for anyone's help... thanks in advance :)
Regards,
encoded passing of variables leaves too many open avenues from
would-be attackers. Is there someone out there that could shed some
light on possible ways of I can accomplish the safe passing of variables
between form submissions. I have tried using Hidden fields, but it
becomes too much of a hassle. I was thinking of getting all the variables
I am to pass and placing them in an array and then passing the array
URL encoded or a class perhaps... I dunno.... which is why I am asking
for anyone's help... thanks in advance :)
Regards,
- trollll
- Forum Contributor
- Posts: 181
- Joined: Tue Jun 10, 2003 11:56 pm
- Location: Round Rock, TX
- Contact:
I've found that URL encoding works well enough, just plan on and account for cases of bad information. I generally have test cases to see if the passed info matches expected info and (depending on the type of info passed) either force it into a certain format (html entities, date formatting, etc.) or reject anything that will disrupt the system and let the user know why.
And if a bad value for something would only come from an attack, kill the process and output a message saying something like,"Please don't do that you mean person." or something better suiting your attitude towards attackers.
And if a bad value for something would only come from an attack, kill the process and output a message saying something like,"Please don't do that you mean person." or something better suiting your attitude towards attackers.
I prefer SESSIONS & POST to GET for variable passing. Sessions to minimize the amount of data that is exposed to the user in the first place and POST to eliminte trivial hack attempts.
As trollll says you still need to plan and deal with all the possibilities of bad input as people can still spoof a POST'd form.
I loathe name-mangling which is another reason I avoid GET at all costs.
As trollll says you still need to plan and deal with all the possibilities of bad input as people can still spoof a POST'd form.
I loathe name-mangling which is another reason I avoid GET at all costs.
- PixelMaster
- Forum Newbie
- Posts: 11
- Joined: Sat Aug 16, 2003 11:48 am
Maybe an easier method than trying to think of all the possibilities for bad data that you could get (which is pretty much impossible, anyway), would be to make a short list of good data: ie. 'only things with alphabetic characters that are no longer than 10 characters is ok', or 'any combinations of up to 2 digits'. Everything else generates an error message.
If you have the ctype functions installed, they are very useful for this kind of stuff - not to mention faster and easier to use than the regexp functions.
If you have the ctype functions installed, they are very useful for this kind of stuff - not to mention faster and easier to use than the regexp functions.
I agree that ctype functions may be easier and faster... and I will
probably end up using them. However, these functions (or most of them)
check to see if the criteria is met by ALL the characters in the
string... which makes it a little infelxible. I will combine the use of ctype
along with Regular expressions, html_entities, strip_html, etc... to make
it a little more flexible and robust. I don't want to sound ungrateful, I
really appreciate the input... I believe it has sparked ideas and research
in my head... thanks again!
Regards,
probably end up using them. However, these functions (or most of them)
check to see if the criteria is met by ALL the characters in the
string... which makes it a little infelxible. I will combine the use of ctype
along with Regular expressions, html_entities, strip_html, etc... to make
it a little more flexible and robust. I don't want to sound ungrateful, I
really appreciate the input... I believe it has sparked ideas and research
in my head... thanks again!
Regards,
It is actually possible to POST without submitting. I've come across a clever function by Rasmus Lerdorf doing just that
Function call would be
Neat-o-mat.
Code: Select all
/* Author ----- Rasmus Lerdorf <rasmus@lerdorf.on.ca> */
function PostToHost($host, $path, $data_to_send) {
$fp = fsockopen($host,80);
fputs($fp, "POST $path HTTP/1.0\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: ".strlen($data_to_send)."\n");
fputs($fp, "Connection: close\n\n");
fputs($fp, $data_to_send);
while(!feof($fp)) { echo fgets($fp, 128);
} fclose($fp);
}Code: Select all
PostToHost("www.clipx.net","/cgi-bin/nohdr.exe",urlencode("cEmail=me@here.com&cMsg=The outlook wasn't brillant for the Mudville nine that day, the score stood two to four with but an inning left to play..."));
exit();The function sends data to another webserver via port 80. Naturally, you will still need to populate the variables with the values you intend to send. My initial text "POST without submitting" is somewhat misleading - with the script you can directly access a remote script (on another webserver) and, e.g. submit to it, which can be quite handy for example if you want to query a search-engine remotely etc.ro wrote:My question to patrikG is: how would you setup the form to use this(postToHost())...
it might be obvious but I'm drawing a complete blank.
I have also found this technique to be useful. I am connecting to an internal webserver that runs ASP, logging in and then pulling the content so that the content is available on the public webserver.patrikG wrote:The function sends data to another webserver via port 80. Naturally, you will still need to populate the variables with the values you intend to send. My initial text "POST without submitting" is somewhat misleading - with the script you can directly access a remote script (on another webserver) and, e.g. submit to it, which can be quite handy for example if you want to query a search-engine remotely etc.ro wrote:My question to patrikG is: how would you setup the form to use this(postToHost())...
it might be obvious but I'm drawing a complete blank.
This is the code I'm messing with... I think I'm content with sending the Actions in the
manner shown below. However, I am still using $GLOBALS to get the Submitted <input>
text variables... how could I merge this method along with th postToHost() method and
then be able to DISABLE Globals in PHP?
manner shown below. However, I am still using $GLOBALS to get the Submitted <input>
text variables... how could I merge this method along with th postToHost() method and
then be able to DISABLE Globals in PHP?
Code: Select all
function addusr_form($page){
$arrї'Action'] = 'Add New User';
$ser = serialize($arr);
$ser = urlencode($ser);
$page .= "?ser1=$ser";
?>
<form method="POST" Action=<?=$page?>>
<table>
<tr>
<td>
<div>Full Name:</div>
</td>
<td>
<input type="text" name="name">
</td>
</tr>
<tr>
<td>
<div>Email:</div>
</td>
<td>
<input type="text" name="email">
</td>
</tr>
<tr>
<td colspan=2>
<input type="submit" value="Add New User" name="ion">
<input type="reset" value="Reset" name="B2">
</td>
</tr>
</table>
</form>
<?
}Ive been using super globals to get away from setting globls enabled in the ini file... As well i use a combination of classes and post.
I have designed my methodology around submitting to intermediate pages wich are then header(location); redirected to the page that they were just on... its fast, efficient, and so far has been very secure....
I have however, not have any malformed string checks in place yet... working on that...
I have designed my methodology around submitting to intermediate pages wich are then header(location); redirected to the page that they were just on... its fast, efficient, and so far has been very secure....
I have however, not have any malformed string checks in place yet... working on that...