Yes, theoretically...you could require it to be posted data.  In order 
to do this you would have to make sure "registered_globals" is set to 
"off" in your php.ini and then for each variable posted from your form 
you will need to do something like this....

$name=$_POST["name"];

This will only post the variables if they have been "posted."  Then you 
could use the referrer along with this and it will only allow data from 
that specific form.  Hope this helps!

Brian Drexler

-----Original Message-----
From: Pag [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 12, 2003 8:35 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Hacker problem



        Been having some hacker problems on my site, and a simple one:

        I have a shoutbox, a simple form with name and text that adds 
lines to the 
database. I do checks for insults, too long words, tags, etc, but its 
still 
possible to circumvent those checks by adding the data on the url 
instead 
of using the form. something like:

        
www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords

        To prevent this, i tried tracing the http_referral so that only 
data from 
inside the site goes into the shoutbox. THe problem is that if you do 
that 
url above after visiting my site, the http_referral obviously thinks 
its 
coming from inside the site. :-P
        How can i solve this? Is there any way to prevent data adding from 
outside? Maybe some invisible check on the form or something?

        Thanks.

        Pag



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to