Page 1 of 1

Creating your own form.

Posted: Tue Jul 25, 2006 9:45 pm
by JellyFish
Okay lets say there is a front-end and a back-end of this form. What I mean when I say front-end and back-end is that there are two pages, one is a form with text input fields for the client to input, and the other is a script that takes the information and parses for errors and submits it to the database.

Now that you have the picture. I was wondering if it's possible to someone to create the front-end script on there own server. For instance:

Someone at google.com makes the two front and back-end scripts and uploads them to their server. They place the action attribute to equal "sumbitform.php".
Then someone at yahoo.com sees this and says "Mmm." then makes a front-end script, places it on their server, with the action attribute set to "http://www.google.com/submitform.php".

So you see what I am getting at?

So is this possible?

Posted: Tue Jul 25, 2006 9:46 pm
by Luke
yes... but most sites protect against it.

EDIT: Actually no they don't... but they should.

Posted: Tue Jul 25, 2006 9:54 pm
by feyd
Yeah, it's easily done and done a lot. So long as the destination follows the common sense of validation and verification, there's nothing to protect against further really.

Posted: Tue Jul 25, 2006 10:00 pm
by Luke
sites like mapquest probably expect it.

(Feyd: There are definately cases where this would need to be protected against... ie: signing up a new user from another site... right?)

Posted: Tue Jul 25, 2006 10:07 pm
by Burrito
in cases where it would need to be protected against...you could do a challenge response.

Posted: Tue Jul 25, 2006 10:08 pm
by JellyFish
Yeah I agrees with what ninja says. What if someone created a front-end that kinda floods the the posts to the database. This is one of the reasons why yahoo, google, msn and many sites put the picture thingy, that has the numbers and sometimes letters and visa versa, that require you to submit the right description provided in the picture.

I might add that I meant a form using the post method not get cause I already know that the get method you just simple add the right variables in the url, such as googles "q=yeahyeah", which I think the q stands for quary not sure.

Posted: Tue Jul 25, 2006 10:08 pm
by feyd
As I already said, so long as the destination performs the common sense of validation and verifications, there's little to protect against as there's little that would change for it. Now, if the page is improperly coded, which many likely are, you would need to be more worried.

Posted: Tue Jul 25, 2006 10:13 pm
by Luke
feyd - I just realized I mis-read your original post. :oops: