Swear filtering is easy, I want to know how to make sure the data is coming from MY form....I'm just picky like that. :-)
-----Original Message----- From: Adam Voigt [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem Why don't you just do the swear filtering on shoutb.php, or wherever it's actually being inserted into the database? On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote: How would one go about doing this? -----Original Message----- From: Dan Hardiker [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:44 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem This could still be faked easily with a telnet session and some fake http headers. Your only way of making sure is to create a serverside script which filters the data. > Yes, theoretically...you could require it to be posted data. In order > to do this you would have to make sure "registered_globals" is set to > "off" in your php.ini and then for each variable posted from your form > you will need to do something like this.... > > $name=$_POST["name"]; > > This will only post the variables if they have been "posted." Then you > could use the referrer along with this and it will only allow data from > that specific form. Hope this helps! > > Brian Drexler > > -----Original Message----- > From: Pag [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 12, 2003 8:35 AM > To: [EMAIL PROTECTED] > Subject: [PHP] Hacker problem > > > > Been having some hacker problems on my site, and a simple one: > > I have a shoutbox, a simple form with name and text that adds > lines to the > database. I do checks for insults, too long words, tags, etc, but its > still > possible to circumvent those checks by adding the data on the url > instead > of using the form. something like: > > > www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords > > To prevent this, i tried tracing the http_referral so that only > data from > inside the site goes into the shoutbox. THe problem is that if you do > that > url above after visiting my site, the http_referral obviously thinks > its > coming from inside the site. :-P > How can i solve this? Is there any way to prevent data adding from > outside? Maybe some invisible check on the form or something? > > Thanks. > > Pag > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- Dan Hardiker [EMAIL PROTECTED] ADAM Software & Systems Engineer First Creative -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Adam Voigt ([EMAIL PROTECTED]) The Cryptocomm Group My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
