Page 1 of 1
Are you processing forms with maximum security?
Posted: Sat Sep 28, 2002 2:47 am
by mr_griff
Just curious if anyone actually checks to make sure a form was posted from the page(s) you were expecting it to be posted from when processing form data?
For example, someone could view the source of your page with the form on it and manipulate the form tags to send unexpected data to the page that processes your form.
Posted: Sat Sep 28, 2002 3:04 am
by mydimension
i haven't but that is a good point you make.
Posted: Sat Sep 28, 2002 3:22 am
by mr_griff
I first started doing this about a year ago after reading an article about people setting their own price for products by editing hidden variables that contained the product price for a PayPal add to shopping cart button.
Posted: Sat Sep 28, 2002 4:06 am
by volka
it depends.
Most time I don't care if the data was filled in MY form as long as data is satisfying and the requesting user was allowed to.
Posted: Sat Sep 28, 2002 12:22 pm
by Takuma
I always check it unless I need the script to execute fast... I like typing extra codes
Don't ask me why...
Posted: Sun Oct 06, 2002 10:12 pm
by Zoram
One question. How exactly do you check to make sure they are coming from the right page?
Posted: Sun Oct 06, 2002 10:39 pm
by mr_griff
The referring page can be checked using the $_SERVER["HTTP_REFERER"] variable.
Posted: Mon Oct 07, 2002 1:14 am
by Takuma
That's not very sucure though since you can edit the header with some browsers although there aren't any secure way. I just use regular expression and REFERER
Posted: Mon Oct 07, 2002 6:44 am
by superwormy
$_SERVER[HTTP_REFERER] can be set on the Client Side, and some browsers will let you turn off the HTTP_REFERER variable completely.
Any other way to check?
Posted: Mon Oct 07, 2002 7:14 am
by volka
what kind of security do you need?