This could still be faked easily with a telnet session and some fake http headers. Your only way of making sure is to create a serverside script which filters the data.
> Yes, theoretically...you could require it to be posted data. In order > to do this you would have to make sure "registered_globals" is set to > "off" in your php.ini and then for each variable posted from your form > you will need to do something like this.... > > $name=$_POST["name"]; > > This will only post the variables if they have been "posted." Then you > could use the referrer along with this and it will only allow data from > that specific form. Hope this helps! > > Brian Drexler > > -----Original Message----- > From: Pag [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:35 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Hacker problem > > > > Been having some hacker problems on my site, and a simple one: > > I have a shoutbox, a simple form with name and text that adds > lines to the > database. I do checks for insults, too long words, tags, etc, but its > still > possible to circumvent those checks by adding the data on the url > instead > of using the form. something like: > > > www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords > > To prevent this, i tried tracing the http_referral so that only > data from > inside the site goes into the shoutbox. THe problem is that if you do > that > url above after visiting my site, the http_referral obviously thinks > its > coming from inside the site. :-P > How can i solve this? Is there any way to prevent data adding from > outside? Maybe some invisible check on the form or something? > > Thanks. > > Pag > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- Dan Hardiker [EMAIL PROTECTED] ADAM Software & Systems Engineer First Creative -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
