From: "Boget, Chris" <[EMAIL PROTECTED]>
> It is possible (I've done it) to find out all the variables
> that make up a form on a particular site, generate a
> similar form on your site with that form's action being
> the CGI/PHP script that the particular site uses to process
> the form once submitted, modify the values for the form
> variables to be anything you want and submit the form
> that resides on your site. This will basically submit totally
> fabricated data to the foriegn site and possibly screw them
> up somehow and/or in some way.
>
> Is there any way to defend against this? Is there any way
> to ensure that when a form is submitted that the submission
> request originated from your site/domain and not somewhere
> else?
>
> Any help would be greatlyl appreciated.
>
> Chris
>
Don't bother with checking the HTTP_REFERER - it can be easily forged.
There is a very simple solution to this problem -- validate the data from
the form!
I.e. if you're expecting $foo to be an integer from 2 to 5, look at
intval($foo) and see if it's >=2 and <=5.
You should be doing this anyway, since who knows what the user could type in
your input box. Nevermind if somebody makes a copy of your form. Never never
never trust the client.
Cheers
Simon Garner
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
