Thanks for your recommendations, what if they use page.php?$_POST[$total]?
instead of $toal?? wouldn't the outcome be the same?
is there good article on this subject? I think this is quite important in
developing secure application, I have googled but no luck
Thanks again
awlad
----- Original Message -----
From: "Chris Hayes" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 11, 2003 3:34 PM
Subject: Re: [PHP] prevent modifying querystring
> 1st step: read out form results from $_POST['total'] (possible since PHP
> 4.10), not from $total. Variables added to the url will not be in the
> $_POST array but in $_GET.
>
> When reading the form result, make sure the referering page is from your
> own site, or else they can simply make their own form.
>
> To increase security, add a hidden field with some random value to the
> form, and put the same value in a session variable. Only accept the form
> result when both match. Some even add a timer.
>
>
> At 16:25 11-6-03, you wrote:
> >for example i have form with a dropdown selection as shown below.
> >
> ><FORM action="action.php">
> ><SELECT name="total">
> > <OPTION>1</OPTION>
> > <OPTION>2</OPTION>
> > <OPTION>3</OPTION>
> > <OPTION>4</OPTION>
> > <OPTION>5</OPTION>
> ></SELECT>
> ></FORM>
> >
> >Just say I have a function to generate form fields based on the total
> >variable from above... so
> >
> >function generate($total){
> >for ($total = 1; $i <= $total; $i++) {
> > print "<input type="text" name="$total">\n";
> >}
> >}
> >
> >how do you prevent someone modifying querystring like:
> >page.php?total=100 and hitting ENTER
> >
> >Now rather than 5 options you have 120 options...
> >
> >How do you tackle this problem??
> >
> >any suggestion?
> >
> >Thanks
> >Awlad
> >
> >_______________________________________________________________________
> >
> >Sheridan Phoenix Company
> >The Business Centre Kimpton Road Luton Bedfordshire LU2 0LB
> >
> >Email: [EMAIL PROTECTED]
> >Phone: 01582 522 330
> >Fax: 01582 522 328
> >_______________________________________________________________________
> >
> >This electronic transmission is strictly confidential and intended
> >solely for the addressee. If you are not the intended addressee, you
> >must not disclose, copy or take any action in reliance of this
> >transmission. If you have received this transmission in error it would
> >be helpful if you could notify The Sheridan Phoenix Company Ltd as soon
> >as possible.
> >
> >Any views expressed in this message are those of the individual sender,
> >except where the sender specifically states them to be the views of The
> >Sheridan Phoenix Company Ltd.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
