Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
when we have a php code that depends on informations from POST, i know i can always do a check the variables and make sure that they are safe to apply in my sql query, the thing is how can i make sure that this information is from the source that i want not from any other place
i mean the variables are sent from the page that i want, not any other page, because from what i know anyone can design a page that do the post to my php ( if he knows the variables )
thankx
Last edited by SGMH on Sat Nov 04, 2006 10:24 pm, edited 1 time in total.
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
it will be great if you can have a look at my code too
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by SGMH on Sat Nov 04, 2006 10:46 pm, edited 1 time in total.
SGMH wrote:the thing is how can i make sure that this information is from the source that i want not from any other place
You simply can't as Http has no knowledge of 'source page'...
(You could add a 'unique id' to each form... this way, when you process a request you can verify if the token is present.. Unless the user has visited that specific page he can't have the token.. but this system would suffer the same vulnerabilities a session system has.. So you might want to do some investigation first...)
small thing to add, the variables i have is beeing POSTed from a software ( VB6 )
thanks timvw for ur help i will look into sessions, i will look into how to do that while posting from the software
what if i have uploading form how can i protect it so people won't be able to design a page that could use my form to upload from their site!!! that just seems too fragile