Thanks! That's all I needed to know. -----Original Message----- From: Leif K-Brooks [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 9:04 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [PHP] Hacker problem
That's just not possible. [EMAIL PROTECTED] wrote: Swear filtering is easy, I want to know how to make sure the data is coming from MY form....I'm just picky like that. :-) -----Original Message----- From: Adam Voigt [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:55 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem Why don't you just do the swear filtering on shoutb.php, or wherever it's actually being inserted into the database? On Wed, 2003-03-12 at 08:51, [EMAIL PROTECTED] wrote: How would one go about doing this? -----Original Message----- From: Dan Hardiker [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:44 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] Hacker problem This could still be faked easily with a telnet session and some fake http headers. Your only way of making sure is to create a serverside script which filters the data. Yes, theoretically...you could require it to be posted data. In order to do this you would have to make sure "registered_globals" is set to "off" in your php.ini and then for each variable posted from your form you will need to do something like this.... $name=$_POST["name"]; This will only post the variables if they have been "posted." Then you could use the referrer along with this and it will only allow data from that specific form. Hope this helps! Brian Drexler -----Original Message----- From: Pag [ mailto:[EMAIL PROTECTED] Sent: Wednesday, March 12, 2003 8:35 AM To: [EMAIL PROTECTED] Subject: [PHP] Hacker problem Been having some hacker problems on my site, and a simple one: I have a shoutbox, a simple form with name and text that adds lines to the database. I do checks for insults, too long words, tags, etc, but its still possible to circumvent those checks by adding the data on the url instead of using the form. something like: www.domain.com/shoutb.php?name=hacker&text=generalnonsenseandbadwords To prevent this, i tried tracing the http_referral so that only data from inside the site goes into the shoutbox. THe problem is that if you do that url above after visiting my site, the http_referral obviously thinks its coming from inside the site. :-P How can i solve this? Is there any way to prevent data adding from outside? Maybe some invisible check on the form or something? Thanks. Pag -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List ( http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- The above message is encrypted with double rot13 encoding. Any unauthorized attempt to decrypt it will be prosecuted to the full extent of the law. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
