Are you processing forms with maximum security?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mr_griff
Forum Commoner
Posts: 64
Joined: Tue Sep 17, 2002 11:11 am
Location: Bozeman, Montana

Are you processing forms with maximum security?

Post by mr_griff »

Just curious if anyone actually checks to make sure a form was posted from the page(s) you were expecting it to be posted from when processing form data?

For example, someone could view the source of your page with the form on it and manipulate the form tags to send unexpected data to the page that processes your form.
User avatar
mydimension
Moderator
Posts: 531
Joined: Tue Apr 23, 2002 6:00 pm
Location: Lowell, MA USA
Contact:

Post by mydimension »

i haven't but that is a good point you make.
User avatar
mr_griff
Forum Commoner
Posts: 64
Joined: Tue Sep 17, 2002 11:11 am
Location: Bozeman, Montana

Post by mr_griff »

I first started doing this about a year ago after reading an article about people setting their own price for products by editing hidden variables that contained the product price for a PayPal add to shopping cart button.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

it depends.
Most time I don't care if the data was filled in MY form as long as data is satisfying and the requesting user was allowed to.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

I always check it unless I need the script to execute fast... I like typing extra codes :lol:

Don't ask me why...
User avatar
Zoram
Forum Contributor
Posts: 166
Joined: Sun Aug 18, 2002 3:28 pm
Location: Utah
Contact:

Post by Zoram »

One question. How exactly do you check to make sure they are coming from the right page?
User avatar
mr_griff
Forum Commoner
Posts: 64
Joined: Tue Sep 17, 2002 11:11 am
Location: Bozeman, Montana

Post by mr_griff »

The referring page can be checked using the $_SERVER["HTTP_REFERER"] variable.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

That's not very sucure though since you can edit the header with some browsers although there aren't any secure way. I just use regular expression and REFERER
superwormy
Forum Commoner
Posts: 67
Joined: Fri Oct 04, 2002 9:25 am
Location: CT

Post by superwormy »

$_SERVER[HTTP_REFERER] can be set on the Client Side, and some browsers will let you turn off the HTTP_REFERER variable completely.

Any other way to check?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

what kind of security do you need?
Post Reply