Pity can be easily faked...
Better to check you filter all incoming data to ensure your script only accepts data it expects to be sent (and delete anything else BEFORE you run the rest of your script). Then it doesn't really matter where it comes from...
Secure Logins
Moderator: General Moderators
How can my script PROCESS data that it didn't expect to recieve?
I mean, you don't usually contain something like this:

I mean, you don't usually contain something like this:
Code: Select all
if (__contains_data_that_was_not_expected__ == "true") {
process_data_that_was_not_expected();
}- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
You have code. It expects to use $_POST['username'] (we'll pretend nothing else).
Therefore you can logically assume any data that is not:
1) in POST
2) not a "username" key
3) not the data type of "username" (for simplicity say its supposed to be aplhanumeric)
4) not the maxlenght of "username"
is invalid. So delete it. Point is to avoid any other data being used to exploit any weaknesses in design, etc.
Therefore you can logically assume any data that is not:
1) in POST
2) not a "username" key
3) not the data type of "username" (for simplicity say its supposed to be aplhanumeric)
4) not the maxlenght of "username"
is invalid. So delete it. Point is to avoid any other data being used to exploit any weaknesses in design, etc.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland