Hi
For some reason, at random posts, the post variables don't get thru to
the server. For example, if there is are two text fields: name and
email... (I have register_global s on)... When I try to update the
database with a query and use $name, $email, the $name is missing or
the $email is missing. I am building an intranet application and all
the 20 or so clients run IE. This happens very rarely. Something like
once in 100 updates.
But I can see this in the log files as update contact set name="",
email="as**@pol .com" where contact_id=918. Notice the name field is
blank. I have JS checks in the client side which does not allow blank
name field..
Is this an IE random error? How do I get over this?
Weird Stuff
5  2128 
Maybe your user has just turned off javascript?
WhatsPHP schrieb:
Hi
For some reason, at random posts, the post variables don't get thru to
the server. For example, if there is are two text fields: name and
email... (I have register_global s on)... When I try to update the
database with a query and use $name, $email, the $name is missing or
the $email is missing. I am building an intranet application and all
the 20 or so clients run IE. This happens very rarely. Something like
once in 100 updates.
But I can see this in the log files as update contact set name="",
email="as**@pol .com" where contact_id=918. Notice the name field is
blank. I have JS checks in the client side which does not allow blank
name field..
Is this an IE random error? How do I get over this?
Weird Stuff
WhatsPHP wrote:
Hi
For some reason, at random posts, the post variables don't get thru to
the server. For example, if there is are two text fields: name and
email... (I have register_global s on)... When I try to update the
database with a query and use $name, $email, the $name is missing or
the $email is missing. I am building an intranet application and all
the 20 or so clients run IE. This happens very rarely. Something like
once in 100 updates.
But I can see this in the log files as update contact set name="",
email="as**@pol .com" where contact_id=918. Notice the name field is
blank. I have JS checks in the client side which does not allow blank
name field..
Is this an IE random error? How do I get over this?
Weird Stuff
Firstly, turn register_global s off, because it's horrid. Read the PHP
manual's security entry on register_global s if you want to know why :)
This is also probably where your problems are coming from, as variables
are really easily over-written when register_global s is on.
Secondly, don't just validate in JS - validate in PHP too, as the JS
might not run as expected or may be ignored completely if a (malicious)
user decides to create their own POST to the form handler.
"gbbulldog" <gb*******@goog lemail.comwrote in
news:11******** **************@ p79g2000cwp.goo glegroups.com:
WhatsPHP wrote:
>I have JS checks in the client side which does not allow blank
Secondly, don't just validate in JS - validate in PHP too, as the JS
might not run as expected or may be ignored completely if a
(malicious) user decides to create their own POST to the form handler.
You will never get better advice than this. You *must* get a handle on
security whenever you are using PHP and submitted forms.
*NEVER* trust user input. You must *ALWAYS* validate your info on the
PHP side - make sure that you are actually getting the information you
are expecting. As noted above, if a user has disabled javascript, then
they can submit an empty form. Heck, I don't even need to VISIT a
website to submit information to the form on it - I can post to a FORM
via command-line, or any other number of ways, without hitting the
original form.
So how would you guard against people submitting a 'fake' form from
their own computer, or just turning off javascript? By checking *ALL
USER INPUT*. It is the FIRST RULE involving ANY server-side scripting
language - VALIDATE USER INPUT!
As you can see, this point simply CANNOT be stressed enough. It is the
first hole (and biggest) that must be plugged in everything you write
from this day forth.
:)
Thanks for all your input on security guys i will certainly keep it in
mind, but this is an inhouse intranet application and the users who use
the system barely know how to use it, let alone hack it.. That is the
reason we had register_global s on. This system maybe internal and on
the intranet but it has around 20 people using it full time (so it is
not small)..
We have register_global s on.. What is still bugging me is the totally
random occurence of this error.. has anyone experienced IE behaving
weird by not posting all the form variables, both hidden and non-hidden
as it should?
WhatsPHP wrote:
Thanks for all your input on security guys i will certainly keep it in
mind, but this is an inhouse intranet application and the users who use
the system barely know how to use it, let alone hack it.. That is the
reason we had register_global s on. This system maybe internal and on
the intranet but it has around 20 people using it full time (so it is
not small)..
We have register_global s on.. What is still bugging me is the totally
random occurence of this error.. has anyone experienced IE behaving
weird by not posting all the form variables, both hidden and non-hidden
as it should?
If the JavaScript fails at any time and you're relying on using an
"onSubmit" check to validate the data, the data won't be validated at
all! Validation is not just a question of security - it's good practice
to stop your scripts from failing, esp. when working with databases.
Again, the inherant problems with having register_global s on aren't all
security related, either. When it's turned on, $_POST['name'] would be
the same as $_GET['name'], which is the same as $name - all sorts of
bother!
Another problem with having register_global s on is session
over-writing. Say you authenticate a user and store the user's id in
the session variable $_SESSION['id']. If you then assign the variable
$id with a value anywhere else on a page which the user visits,
$_SESSION['id'] will be over-written with $id!
I know it's a pain to alter your scripts and change over to a system
which doesn't rely on register_global s being on, but in the long run
it's much better if you learn to use the super-globals. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Tony |
last post by:
I'm working with someone on a PHP project. The other person is doing
testing of scripts on their personal machine using Apache as a web server.
The production server and the one I'm using are both using IIS.
This other person reports that in their PHP scripts when tested with Apache,
form variable sent via the POST method are not "coming through." (This is
even using the "long method" of specifying them as $HTTP_POST_VARS.)
These same...
|
by: Robert |
last post by:
Hello,
Can anyone help with this?
On my online order form, I need to send a few variables to my
credit-card processor. These variables are for non-secure customer
comments, and will be sent through the usual metod, i.e.,
<form action="https://orderpage.ic3.com/hop/orderform.jsp"
method="post">
|
by: CCP |
last post by:
I've got a simple HTML page containing a form and a few hidden
variables.
This form post into a .Net application (that lives in a seperate
directory).
The first thing I do in my codebehind is grab the values of the form
fields, however .net is unable to see these values. The entire
Request.Form object is empty. Request.Form.Count == 0. If I turn on
the tracing/debug output the form itself isn't even listed.
|
by: lbolognini |
last post by:
Hi all,
I have a very long list of parameters coming from a web form to my
method foo(self, **kwargs)
I would like to avoid manually binding the variables to the values
coming through the **kwargs dictionary, just to keep the code cleaner,
I'd like to bind them automatically
I was adviced against doing it by adding stuff to locals such as:
|
by: glenn |
last post by:
I am use to programming in php and the way session and post vars are past
from fields on one page through to the post page automatically where I can
get to their values easily to write to a database or continue to process on
to the next page.
I am now trying to learn ASP to see if we can replace some of our
applications that were written in php with an ASP alternative. However,
after doing many searches on google and reading a couple...
| | |
by: Gert |
last post by:
Hi,
I have a form (server side) because of the filling of variables through the
application. But now I need to post it to an url on submit.
My .HTML form looks like this, but how to translate it to asp.net vb code?
!--<FORM ACTION="/test/test.php" METHOD=POST>-->
<form action="https://multipay.net/transaction/mpmain.php" method="post">
....
|
by: Marc E |
last post by:
All,
I'm coming from java and coldfusion, where one can set a "global" variable
in one place (the servletcontext in java, Application.cfm in coldfusion) and
all files in that site can then take advantage of these variables without
the need to "include" a variables page in every page on the site.
Is there something comparable in php, like an Application.php or some such
thing?
One more question that's basically an extension of the first....
|
by: Zytan |
last post by:
I see that static is more restricted in C# than in C++. It appears
usable only on classes and methods, and data members, but cannot be
created within a method itself. Surely this is possible in C# in some
way? Or maybe no, because it is similar to a global variable (with its
scope restricted) which C# is dead against?
Zytan
|
by: dac |
last post by:
I am quietly going insane on this project. I've never worked on a project like this one before. All my previous sticky forms were for data entry, not editing. I don't know how to display the form with data from the database, allow the user to update it, and then display the form again with POST data. I can get the data out of the database and get the user updates back into the database, but how do I get the filled-out form back to the user...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
