ways of maintaining HTTP states without session or coockies
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Yes, it does. It is just as easy to view source, edit the html and use the same form action as what you have. I can edit your form fields and values without your knowledge, so you need to protect against it.crazytopu wrote:does hidden html have any serious security issue just like query string have?
The nature of HTTP and the stateless condition of web servers is something that is not going to fit well into what you are being tasked to do.
I don't use them because they stuff up my tmp dir... and my tmp dir is a ram disk.Hockey wrote:Why wouldn't you just use SESSIONS though?
We basically use a hand rolled sessions system though. A hash is sent as a cookie, it corresponds to a key in mysql. This way a session works in a mixed environment. A RoR app can access your session information the same as a php script. It also gives us the ability to delete your session from an admin panel and force a log out.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Ahem. session_set_save_handler() - i.e. database sessions...
the write callback is called after object destruction, so you can't use PEAR:DB, PEAR:MDB or pdo to connect to the database.feyd wrote:Ahem. session_set_save_handler() - i.e. database sessions...
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
The summary of one of the online article I read last night says :
Now, even if a user sees the hidden field value, say, "Database Design", how would they change the title and send "Learn TCP/IP in 24 Hours" to the next page when the page is being submitted (obviusly, this form recides in the server where as user can just change the value in their local machine in the HTML file).
Anyone knows?
I simply don't understand how this is possible. For example, if it is a php based site how a user can change the value of the hidden field (which is a HTML page and nothing else ) and run that form in the server. So, lets say I have a hidden field called $bookTitle, which I am passing from one page to the other. I am using a php variable to catch the value when the form is being submitted and use that variable to store the bookTitle in the database.
Even though they are called hidden, in fact, HTML "hidden" fields are not hidden and not secure. Users can see them simply by viewing the HTML source code of the page in their browser and it's easy for a user to change the hidden field value. All they have to do is save the HTML form into their computer, edit the HTML then re-submit the form.
Now, even if a user sees the hidden field value, say, "Database Design", how would they change the title and send "Learn TCP/IP in 24 Hours" to the next page when the page is being submitted (obviusly, this form recides in the server where as user can just change the value in their local machine in the HTML file).
Anyone knows?
[s]U[/s] You can just save the form ,edit the fields that [s]u[/s] you want edited, and add between the head tags of the source
<base href="url of the form">
or if [s]u[/s] you want server side using curl and is done.
<base href="url of the form">
or if [s]u[/s] you want server side using curl and is done.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.
Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.
Can't understand what do you mean ...crazytopu wrote: I simply don't understand how this is possible. For example, if it is a php based site how a user can change the value of the hidden field (which is a HTML page and nothing else ) and run that form in the server. So, lets say I have a hidden field called $bookTitle, which I am passing from one page to the other. I am using a php variable to catch the value when the form is being submitted and use that variable to store the bookTitle in the database.
Now, even if a user sees the hidden field value, say, "Database Design", how would they change the title and send "Learn TCP/IP in 24 Hours" to the next page when the page is being submitted (obviously, this form resides in the server where as user can just change the value in their local machine in the HTML file).
Anyone knows?
You can always substitute your hidden fields with "<input type='text'>" ... it's will be absolutely the same to the server.
There are 10 types of people in this world, those who understand binary and those who don't
-
crazytopu
- Forum Contributor
- Posts: 259
- Joined: Fri Nov 07, 2003 12:43 pm
- Location: London, UK
- Contact:
Sorry, maybe I couldnot exlain it clearly.
Say,
<form name="test" action="POST" method="action.php">
this form has a hidden value called price.
now if i save this page on my local machine, change the price value to something else and in the action parameter and type the full url insted of just the php file:
<form name="test" action="POST" method="http://www.action.com/action.php">
will it work? Is it that simple?
Say,
<form name="test" action="POST" method="action.php">
this form has a hidden value called price.
now if i save this page on my local machine, change the price value to something else and in the action parameter and type the full url insted of just the php file:
<form name="test" action="POST" method="http://www.action.com/action.php">
will it work? Is it that simple?
Best add-on - ever!!feyd wrote:If you use Firefox and install the Web Developer add-on you can edit any form field with a couple clicks in the menus.
I like the HTML Validator, too.
Check it out here:
http://users.skynet.be/mgueury/mozilla/