Page 1 of 1
The source of the POST
Posted: Sat Nov 04, 2006 9:45 pm
by SGMH
hii
i hope you are having a good day
when we have a php code that depends on informations from POST, i know i can always do a check the variables and make sure that they are safe to apply in my sql query, the thing is how can i make sure that this information is from the source that i want not from any other place
i mean the variables are sent from the page that i want, not any other page, because from what i know anyone can design a page that do the post to my php ( if he knows the variables )
thankx

Posted: Sat Nov 04, 2006 10:01 pm
by SGMH
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
it will be great if you can have a look at my code too
Code: Select all
<?php
//-------------------------------------- Check if the 1st 32 strings in this variable are numbers
if ( is_numeric(substr($_POST[ccname],0,32)) )
{
$ccname = $_POST[ccname];
} else {
die('');
}
//-------------------------------------- check if this variable is a number
if ( is_numeric($_POST[ddnumber]) )
{
$ddnumber = $_POST[ddnumber];
} else {
die('');
}
//-------------------------------------- check if this variable is a number
if ( is_numeric($_POST[fsize]) )
{
$fsize = $_POST[fsize];
} else {
die('');
}
//--------------------------------------
$ipouploader = $_SERVER['REMOTE_ADDR'];
//--------------------------------------
$con = mysql_connect("localhost","*****","*****");
if (!$con)
{
//die('Could not connect: ' . mysql_error());
die('');
}
$nowdate = date("Y/m/d");
mysql_select_db("*****", $con);
$sql="INSERT INTO Files (ccname, ddnumber, fsize, ipouploader, date)
VALUES
('$ccname','$ddnumber','$fsize','$ipouploader','$nowdate')";
if (!mysql_query($sql,$con))
{
//die('Error: ' . mysql_error());
die('');
}
echo "Done";
mysql_close($con);
?>
feyd | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Posted: Sat Nov 04, 2006 10:20 pm
by SGMH
sorry about that i was just fixing it but , you were one step ahead
thanx for ur help
Re: The source of the POST
Posted: Sat Nov 04, 2006 10:22 pm
by timvw
SGMH wrote:the thing is how can i make sure that this information is from the source that i want not from any other place
You simply can't as Http has no knowledge of 'source page'...
(You could add a 'unique id' to each form... this way, when you process a request you can verify if the token is present.. Unless the user has visited that specific page he can't have the token.. but this system would suffer the same vulnerabilities a session system has.. So you might want to do some investigation first...)
Posted: Sat Nov 04, 2006 10:59 pm
by SGMH
small thing to add, the variables i have is beeing POSTed from a software ( VB6 )
thanks timvw for ur help i will look into sessions, i will look into how to do that while posting from the software
what if i have uploading form how can i protect it so people won't be able to design a page that could use my form to upload from their site!!! that just seems too fragile
if anybody have a hint i will be greatful