PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Here is what I do, it may be not be the best way (feyd probably knows the best way to do damn near everything, respectfully), but it works. I add a hidden form field. In this case I would handle it like so name="login_attempted" value="TRUE", then I would look for $login_attempted to be true like so...
To be more truthful, I am sort of paranoid, and what I would do in real life is have the hidden form be name="login_attempted" value="1" and cast the value of $login_attempted to an integer before checking it like so...
<?php
$login_attempted = (int) $_POST['login_attempted'];
if ($login_attempted == 1)
{
// Login has been attempted
} else {
// Show form
}
?>
You probably do not need to do this, but I find it to be a good practice. I am not an expert mind you, but I do have a certain talent at breaking things when asked to test to break. Confining user input to small integers whenever possible seems to me to be a good step towards writing more secure scripts.
and send that to my php, with your code added?? Is that the guist of it??
Thanks guys
P.s. you know your right, that is more secure, because if I didn't use that, the user could do a little something, change a little something else, and send sql querys to my db, with that addition, it will add to the sql string, thus rendering it useless, plus, without it the script will become useless as well... good idea
lolpix wrote:To be more truthful, I am sort of paranoid, and what I would do in real life is have the hidden form be name="login_attempted" value="1" and cast the value of $login_attempted to an integer before checking it like so...
<?php
$login_attempted = (int) $_POST['login_attempted'];
if ($login_attempted == 1)
{
// Login has been attempted
} else {
// Show form
}
?>
You probably do not need to do this, but I find it to be a good practice. I am not an expert mind you, but I do have a certain talent at breaking things when asked to test to break. Confining user input to small integers whenever possible seems to me to be a good step towards writing more secure scripts.
and that makes it harder for me to copy and paste your form onto my site and then add malicious things to it.... why?
and that makes it harder for me to copy and paste your form onto my site and then add malicious things to it.... why?
if($var == TRUE)
if((int)$var == 1)
Doesn't really change anything.
Good point, the only thing it does insure is that whatever $var is, is now an integer. We could test for === but that still does not insure anything. But in this case all we are checking for is that the form has been submitted, not that it has been validated. In this case it is probably not all that helpful, as I think I noted. But it still seems to me to be a good habit in general, because casting a variable to an integer or absolute value strips out any lexigraphical content.
so far my original method seems to be more secure, sql injections arent any good, since the script which querys the db will not parse unless the page has indeed been submitted first.. agreed???
Checking to see if the form is submitted doesn't check security, it's just a way to display/process when needed..
mysql_escape_string on the other hand does..