You've discovered one of the basic tenets of form security on the web :)
It is crucial that you never trust input from ANY outside source. This means you should do a couple of things:
1) limit the possible input values
2) validate the data type. If you expect a number, use is_numeric(), or a regex like ^[0-9]{1,5}$ (1-5 digit integer), and if your data does not match, stop all processing of the input and raise an error.
3) NEVER execute input from outside sources, instead, use output from the outside to choose between a controlled, limited number of options from within the program, leave nothing open-ended.
Don't worry about controlling $_GET, $_REQUEST or $_WHATEVER, just limit the input you expect, and check to make sure it is within the limits you set.
Regards, Greg -- phpDocumentor http://www.phpdoc.org
Scott Fletcher wrote:
Hi!
I wanted to know is is there a way to configure PHP to make it not be affected when the web user tamper with the values in the post string after a webpage is submitted or something. (Further explanation below)
I noticed when I use the hidden html input tag with hidden data in it then when I click the submit button to submit the webpage, the hidden data then show up in the URL address. Fine, no problem. But I noticed one problem, I can changed the value in the URL toolbar of the web-browser and get different result on the webpage. I know it is where $_REQUEST[], $_GET, etc. come into play. So, is there a way to keep that $_REQUEST[], $_GET[] data unchanged? Does this require the php.ini configuration or what?
Thanks, FletchSOD
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
