Re: [PHP] Munging hidden/form variables

Thu, 01 Mar 2001 15:11:10 -0800 


I would think you should be able to write a random string to a file when the
form page is accessed, and carry a variable with the action then have the
recipient compare. Presents other challenges but should give you that
comforting feeling he was looking for.


On Thu, 1 Mar 2001 [EMAIL PROTECTED] wrote:

> Date: Thu, 1 Mar 2001 16:18:08 MST
> From: [EMAIL PROTECTED]
> To: "Boget, Chris" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> Subject: Re: [PHP] Munging hidden/form variables
> 
> Addressed to: "Boget, Chris" <[EMAIL PROTECTED]>
>               [EMAIL PROTECTED]
> 
> ** Reply to note from "Boget, Chris" <[EMAIL PROTECTED]> Thu, 1 Mar 2001 14:26:16 
>-0600 
> >   
> > ------_=_NextPart_001_01C0A28D.E2F45248
> > Content-Type: text/plain;
> >     charset="iso-8859-1"
> >   
> > It is possible (I've done it) to find out all the variables
> > that make up a form on a particular site, generate a
> > similar form on your site with that form's action being
> > the CGI/PHP script that the particular site uses to process
> > the form once submitted, modify the values for the form
> > variables to be anything you want and submit the form
> > that resides on your site.  This will basically submit totally 
> > fabricated data to the foriegn site and possibly screw them 
> > up somehow and/or in some way.
> >   
> > Is there any way to defend against this?  Is there any way
> > to ensure that when a form is submitted that the submission
> > request originated from your site/domain and not somewhere
> > else?
>   
> 
> No.  There is no way to tell a clever programmer from a live human on
> the other end of an Internet connection.  You may be able to make it
> harder, say making sure your form page is hit before the results are
> returned, but that is easy to defeat.
> 
> 
> 
>  
> 
> Rick Widmer
> Internet Marketing Specialists
> http://www.developersdesk.com
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
> 

Kelly

303-444-1671
Boulder, Colorado



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to