Simple form security - will this work?
Posted: Wed Feb 06, 2008 9:54 pm
Hi all, I tried searching for a question like this but I couldn't find anything. I'm new to php and I hope to get a better understanding about this.
I found this page here: http://nyphp.org/phundamentals/spoofed_submission.php that suggests using a shared secret method utilizing a hidden input field, sessions and check the post variable to the session variable. I know that can prevent more advanced attacks (via telnet) but the user can still see the random key in the page's source.
Wouldn't it be better to just create my own key; place it in a session variable; on the processing page check to see if it's there and if it is the right key?
Like so:
form page:
<?php session_start();
$_SESSION['secret'] = "d8fjker98sdjkf8";
?>
Processing page:
if ($_SESSION['secret']=="d8fjker98sdjkf8"):
I found this page here: http://nyphp.org/phundamentals/spoofed_submission.php that suggests using a shared secret method utilizing a hidden input field, sessions and check the post variable to the session variable. I know that can prevent more advanced attacks (via telnet) but the user can still see the random key in the page's source.
Wouldn't it be better to just create my own key; place it in a session variable; on the processing page check to see if it's there and if it is the right key?
Like so:
form page:
<?php session_start();
$_SESSION['secret'] = "d8fjker98sdjkf8";
?>
Processing page:
if ($_SESSION['secret']=="d8fjker98sdjkf8"):