Page 1 of 1

form security

Posted: Fri Oct 17, 2008 10:39 am
by toltmanns
Hey guys!

This is my first post so I don't know what to expect, here goes:

I have coded some simple php to transfer some hidden form data (a URL) on a PRODUCT LIST page to a link value on the REDIRECTION page (which explains that they are leaving the home site for a 3rd party reseller). The code is on a simple site, the link to another page is to an ecommerce page.

The code on the PRODUCT LIST page:

<form method="post" action="shopping.php">
<input name="item" value="http://happyurl.com" type="hidden" />
<input type="image" value="submitname" src="images/Buy.gif" alt="Buy product" name="image" />
</form>

The code on the REDIRECTION page:

-- in the head

<?php $temp = $_REQUEST['item'] ;
if (ereg ("^http://happyurl.com", $temp)) {$lunaurl=$temp;}?>

-- in the body

To continue shopping please click <a href="<?php if(isset($lunaurl)){echo($lunaurl);} else echo('http://mainurl.com') ?>">here</a>.

I tried to use some code with sessions, but I am a new php programmer and couldn't get it to work. Basically, if the REDIRECTION page doesn't link to the right domain, it will link the anchor to the home page to combat any hacking.

What do you security junkies think of this method? It works, but is it secure?

Thanks so much!

-Troy R Oltmanns

Re: form security

Posted: Sat Oct 18, 2008 3:33 am
by onion2k
I don't see the point in it. Why pass "http://happyurl.com" into the redirection page at all? If you know it'll always be that value, which it must be else the regular expression will fail, just code "http://happyurl.com" into the body of the redirection page.