HTTP_REFERRER can be spoofed, so don't rely on it for much. ---John Holmes...
----- Original Message ----- From: "John Nichel" <[EMAIL PROTECTED]> To: "Paul Nicholson" <[EMAIL PROTECTED]> Cc: "Johnson, Kirk" <[EMAIL PROTECTED]>; "PHP General" <[EMAIL PROTECTED]> Sent: Friday, October 25, 2002 2:07 PM Subject: Re: [PHP] extract($_POST) > And if you want to take it a step further, to ensure that the values are > submitted from YOUR form, check the $_SERVER['HTTP_REFERER'] to see if > it's coming from your domain | page. > > Paul Nicholson wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Friday 25 October 2002 11:23 am, Johnson, Kirk wrote: > > > >>>And what should these precautions be? If a malicious user can submit > >>>his own form and you are looking for a POST variable, how can you > >>>ensure that $admin came from your form and not that user's? > >> > >>The problem is when a cracker uses form variables in an attempt to set the > >>values of "flag" variables kept only in the session, for example, $isAdmin. > >>As far as the form variables *you* put in your form, it doesn't matter > >>whether the user submits your form or a form they made themselves. Those > >>form variables are just data you are trying to collect. > >> > >>With register_globals on, PHP takes *all* variables (GET, POST, COOKIE) > >>received from the client and assigns them to global variables. So if the > >>user posts a value for $isAdmin, she can give herself admin privileges. > >> > >>The key is to retrieve *only* the form variables *you* put in the form from > >>the the $_POST array. So don't write a loop and grab *everything* from that > >>array. > >> > >>Kirk > > > > > > Exactly! Not only should you retrieve *only* the vars you need from POST, > > you should also filter them to make sure they contain what you're looking > > for.....is_alpha($_POST['name']). And no, php doesn't have an 'is_alpha' > > function....I created that as part of a filtering class. > > > > ~Paul > > > > > > - -- > > ~Paul Nicholson > > Design Specialist @ WebPower Design > > "The web....the way you want it!" > > [EMAIL PROTECTED] > > > > "It said uses Windows 98 or better, so I loaded Linux!" > > Registered Linux User #183202 using Register Linux System # 81891 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (GNU/Linux) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE9uXoKDyXNIUN3+UQRAkugAJ0aftPjxhmV0tSk125UZSTCuWp47QCfaKJ7 > > z5+ja1P4NtWUwVMCMsFVt2M= > > =UG2o > > -----END PGP SIGNATURE----- > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
