Your browser does not seem to support CSS. If images appear below, please disregard them.
It appears that you're running an Ad-Blocker. This site is monetized by Advertising and by User Donations; we ask that if you find this site helpful that you whitelist us in your Ad-Blocker, or make a Donation to help aid in operating costs.
Previous Thread
Next Thread
Print Thread
Rate This Thread
#18403 - 09/28/05 10:28 AM form data  
Joined: Sep 2005
Posts: 102
Testing Offline
UGN Member
Testing  Offline
UGN Member

Joined: Sep 2005
Posts: 102
Sacramento, CA
This very well could go under the newbie section but since its regarding PHP/HTML I figured my question is best served here.

I'm reading my book and as I read it states "In terms of both error management and security, you should absolutely never trust the data being entered into a form".

Ok, So here comes the question.

Why not? Are they referring to when the form is being entered into say mysql and then the info from the form can dictate stuff in the database? I know that didn't come out exactly as I am thinking but its close. Why exactly should I scrutinize form data. Any insight would be greatly appreciated.


Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.
Sponsored Links
#18404 - 09/28/05 10:53 AM Re: form data  
Joined: Sep 2005
Posts: 102
Testing Offline
UGN Member
Testing  Offline
UGN Member

Joined: Sep 2005
Posts: 102
Sacramento, CA
Never mind. I understand much better now.

http://www.phpbuilder.com/columns/sporty20001102.php3?page=3


Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.
#18405 - 09/28/05 02:43 PM Re: form data  
Joined: Dec 2002
Posts: 3,255
§intå× Offline
§intå×  Offline



Joined: Dec 2002
Posts: 3,255
Likes: 1
Maryland
Yea... Trust nothing from the user. Code every form as if you know a hacker is coming at it. Also safe guard from URL submissions. Remember the GET method. If someone views source on your form they will see all variables that will be passed. Even if you are using host, they can mess with the URL and try submiting malious code that way.

The best ways around this are

1.) Code like registered globals is off.
http://us2.php.net/variables.external

2.) Make sure the user came from the page the form is on. See the predefined variables
http://us2.php.net/manual/en/reserved.variables.php#reserved.variables.request


Here is a function I grabed off PHP.net to make sure your forms are secure.
Code:
<?php

   function form_post_check()
   {
       $referring_url = $_SERVER['HTTP_REFERER'];    // get the referring URL
       $host = $_SERVER['HTTP_HOST'];    // get the header from the current request (example: www.yoursite.com)
       $valid_url = 'http://'.$host.'/';    // finish defining a valid referring URL
       $valid_len = strlen( $valid_url );    // get the length of the valid url

       // if the valid url isn't the first part of the referring url
       if ( substr( $referring_url, 0, $valid_len ) != $valid_url )
       {
           die( 'You submitted this form from an invalid URL.' );    // stop everything and display a message
       }
   }

?>
Be sure to make PHP.net a favorite while learning. Thier search tool is a life saver while learning, let me tell you.


My New site OpenEyes

Member Spotlight
Gremelin
Gremelin
Portland, OR; USA
Posts: 7,195
Joined: February 2002
Show All Member Profiles 
Forum Statistics
Forums45
Topics46,754
Posts81,924
Average Daily Posts11
Members2,159
Most Online1,567
Apr 25th, 2010
Latest Postings
Top Posters(All Time)
UGN Security 39,918
Gremelin 7,195
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Liked Users (All Time)
§intå× Likes: 1
Cold Sunn Likes: 1
Crime Likes: 1
Cyrez Likes: 1
Ghost Likes: 1
Gremelin Likes: 4
Ice Likes: 1
unreal Likes: 1
Top Liked Users (30 Days)
Powered by UBB.threads™ PHP Forum Software 7.6.0
(Snapshot build 20160902)