Your browser does not seem to support CSS. If images appear below, please disregard them.
toggle
May
S M T W T F S
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31
Sponsored Links
Latest Postings
Topic Options
Rate This Topic
#18403 - 09/28/05 10:28 AM form data
Joined: Sep 2005
Posts: 102
Testing Offline
UGN Member
Testing Offline
UGN Member

Joined: Sep 2005
Posts: 102
Sacramento, CA
This very well could go under the newbie section but since its regarding PHP/HTML I figured my question is best served here.

I'm reading my book and as I read it states "In terms of both error management and security, you should absolutely never trust the data being entered into a form".

Ok, So here comes the question.

Why not? Are they referring to when the form is being entered into say mysql and then the info from the form can dictate stuff in the database? I know that didn't come out exactly as I am thinking but its close. Why exactly should I scrutinize form data. Any insight would be greatly appreciated.


Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.
Top
Sponsored Links
#18404 - 09/28/05 10:53 AM Re: form data
Joined: Sep 2005
Posts: 102
Testing Offline
UGN Member
Testing Offline
UGN Member

Joined: Sep 2005
Posts: 102
Sacramento, CA
Never mind. I understand much better now.

http://www.phpbuilder.com/columns/sporty20001102.php3?page=3


Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.
Top
#18405 - 09/28/05 02:43 PM Re: form data
Joined: Dec 2002
Posts: 3,255
§intå× Offline
§intå× Offline



Joined: Dec 2002
Posts: 3,255
Maryland
Yea... Trust nothing from the user. Code every form as if you know a hacker is coming at it. Also safe guard from URL submissions. Remember the GET method. If someone views source on your form they will see all variables that will be passed. Even if you are using host, they can mess with the URL and try submiting malious code that way.

The best ways around this are

1.) Code like registered globals is off.
http://us2.php.net/variables.external

2.) Make sure the user came from the page the form is on. See the predefined variables
http://us2.php.net/manual/en/reserved.variables.php#reserved.variables.request


Here is a function I grabed off PHP.net to make sure your forms are secure.
Code:
<?php

   function form_post_check()
   {
       $referring_url = $_SERVER['HTTP_REFERER'];    // get the referring URL
       $host = $_SERVER['HTTP_HOST'];    // get the header from the current request (example: www.yoursite.com)
       $valid_url = 'http://'.$host.'/';    // finish defining a valid referring URL
       $valid_len = strlen( $valid_url );    // get the length of the valid url

       // if the valid url isn't the first part of the referring url
       if ( substr( $referring_url, 0, $valid_len ) != $valid_url )
       {
           die( 'You submitted this form from an invalid URL.' );    // stop everything and display a message
       }
   }

?>
Be sure to make PHP.net a favorite while learning. Thier search tool is a life saver while learning, let me tell you.


My New site OpenEyes
Top

Member Spotlight
Gremelin

Gremelin
Portland, OR; USA
Posts: 7,194
Joined: February 2002
Show All Member Profiles 
Forum Statistics
Forums46
Topics45,692
Posts80,860
Members2,157
Most Online1,567
Apr 25th, 2010
Top Posters(All Time)
UGN Security 38,856
Gremelin 7,194
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Newest Members
Herbert_Sherbert, codemauve, Lillysdragon1984, Brewwit, boa
2157 Registered Users
Who's Online Now
0 registered members (), 4 guests and 2 spiders.
Latest News