UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store
 

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
September
Su M Tu W Th F Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30
Sponsored Links
Latest Postings
Amazon Gift Card Generator/KeyGen?te
by Gecko666
08/22/14 09:21 AM
Latest Reviews
Topic Options
Rate This Topic
#18403 - 09/28/05 03:28 AM form data
Testing Offline
UGN Member

Registered: 09/21/05
Posts: 102
Loc: Sacramento, CA
This very well could go under the newbie section but since its regarding PHP/HTML I figured my question is best served here.

I'm reading my book and as I read it states "In terms of both error management and security, you should absolutely never trust the data being entered into a form".

Ok, So here comes the question.

Why not? Are they referring to when the form is being entered into say mysql and then the info from the form can dictate stuff in the database? I know that didn't come out exactly as I am thinking but its close. Why exactly should I scrutinize form data. Any insight would be greatly appreciated.
_________________________
Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.

Top
Sponsored Links
      
#18404 - 09/28/05 03:53 AM Re: form data
Testing Offline
UGN Member

Registered: 09/21/05
Posts: 102
Loc: Sacramento, CA
Never mind. I understand much better now.

http://www.phpbuilder.com/columns/sporty20001102.php3?page=3
_________________________
Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.

Top
#18405 - 09/28/05 07:43 AM Re: form data
§intå× Offline


*****

Registered: 12/03/02
Posts: 3255
Loc: Maryland
Yea... Trust nothing from the user. Code every form as if you know a hacker is coming at it. Also safe guard from URL submissions. Remember the GET method. If someone views source on your form they will see all variables that will be passed. Even if you are using host, they can mess with the URL and try submiting malious code that way.

The best ways around this are

1.) Code like registered globals is off.
http://us2.php.net/variables.external

2.) Make sure the user came from the page the form is on. See the predefined variables
http://us2.php.net/manual/en/reserved.variables.php#reserved.variables.request


Here is a function I grabed off PHP.net to make sure your forms are secure.
Code:
<?php

   function form_post_check()
   {
       $referring_url = $_SERVER['HTTP_REFERER'];    // get the referring URL
       $host = $_SERVER['HTTP_HOST'];    // get the header from the current request (example: www.yoursite.com)
       $valid_url = 'http://'.$host.'/';    // finish defining a valid referring URL
       $valid_len = strlen( $valid_url );    // get the length of the valid url

       // if the valid url isn't the first part of the referring url
       if ( substr( $referring_url, 0, $valid_len ) != $valid_url )
       {
           die( 'You submitted this form from an invalid URL.' );    // stop everything and display a message
       }
   }

?>
Be sure to make PHP.net a favorite while learning. Thier search tool is a life saver while learning, let me tell you.
_________________________
My New site OpenEyes

Top

Moderator:  §intå×, Gremelin 
Featured Member
Registered: 08/20/13
Posts: 1
Forum Stats
2148 Members
46 Forums
34034 Topics
69201 Posts

Max Online: 1567 @ 04/25/10 02:20 AM
Top Posters
UGN Security 27196
Gremelin 7192
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
Gecko666, defghi795767, Devo60, ali, lavos
2147 Registered Users
Who's Online
0 registered (), 315 Guests and 296 Spiders online.
Key: Admin, Global Mod, Mod
Latest News


Donate
  Get Firefox!
Get FireFox!