473,376 Members | 1,052 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,376 software developers and data experts.

safe form...

Hi,

Suppose you want to make sure subitted data is comming from "your" form and
not submitted (with tools) elsewhere.
What do I need to prevent false/hacked/spoofed data?

- register globals = off;
- use $_HTTP["POST"]
- check referrer with $_SERVER["HTTP_REFERER"]

are these settings 'air tight'? or (and how?) can it be overruled /
circumvented??

Regards,
Marco

Jul 17 '05 #1
2 2065
Marco wrote:

You need to learn how to cross post and not multi post. That way when
people reply to your post it goes to all the groups you posted to and
you end up with one discussion thread instead of many...

Here's my reply to your message in alt.comp.lang.php:
Suppose you want to make sure subitted data is comming from "your"
form and not submitted (with tools) elsewhere.
What do I need to prevent**false/hacked/spoofed*data?

- register globals**=*off;
- use**$_HTTP["POST"]
$_HTTP["POST"] isn't a valid variable - you want $_POST["var_name_here"]
- check referrer with**$_SERVER["HTTP_REFERER"]
Unfortunately you cannot rely on $_SERVER["HTTP_REFERER"] as it can be
blocked/unset by browser settings and other 3rd party software such as
anti spy software, privacy software, ad blocking software etc. In some
cases this is set to be blank and in other cases the site's domain
name.

And if someone is trying to see if they can do stuff to your site/server
through a form post they'd quite easily be able to fake the referer
anyway and make it look like they were posting from your page.
* are these settings 'air tight'? or (and how?) can it be overruled /
circumvented??


You could make the user enter the string value contained in a generated
image and the value of the image is stored in a hidden field using a
hashing algorithm like md5. When the form is submitted you compare the
hash of their string with the hidden field. There are downsides to this
as it can mean people are put off completing the form altogether and
there are accessibilty issues as well.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
Jul 17 '05 #2
You're right Chris..

Thanx for your reply though :-)
Marco
"Marco" <dont_send{spam}[mps]@this.address[webmind.nl].please.com> schreef
in bericht news:42**********************@news.wanadoo.nl...
Hi,

Suppose you want to make sure subitted data is comming from "your" form
and
not submitted (with tools) elsewhere.
What do I need to prevent false/hacked/spoofed data?

- register globals = off;
- use $_HTTP["POST"]
- check referrer with $_SERVER["HTTP_REFERER"]

are these settings 'air tight'? or (and how?) can it be overruled /
circumvented??

Regards,
Marco

Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
by: Reply Via Newsgroup | last post by:
Folks, I am using Apache 1.3.x with PHP 4.3.x and MySQL v4. Short question: Before I put my web form available on the internet, how can I test it from mis-use in such that special characters...
9
by: Paul Morrow | last post by:
I have seen the technique where a number of rows in a database are displayed in an html table so that each column of each row is editable. They use a single form surrounding the table, where each...
3
by: BoloBaby | last post by:
All, I believe I am having a threading problem. Class "BELights" is part of a larger DLL that is used by my main application. A user control (of type BESeat) within the main application raises...
0
by: Dave Coate | last post by:
I am working on a generic way to launch multiple similar processes (threads) at once, but limit the number of threads running at any one time to a number I set. As I understand it the following...
0
by: gm | last post by:
Immediately after generating the Access application from the Source Safe project I get: "-2147467259 Could not use ''; file already in use." If Access database closed and then reopened I get:...
7
by: Alexander Walker | last post by:
Hello I want to get the value of a property of a control from a thread other than the thread the control was created on, as far as I can see this is not the same as invoking an operation on a...
5
by: Dan Tallent | last post by:
I am trying to learn how to create an application that uses worker threads to prevent the UI from freezing up. My question is: Is the following code considered "thread safe"? If not, what am I...
15
by: Michael Chambers | last post by:
Hi there, I have a worker thread that may need to display a dialog for the user. Is it safe for the worker thread to invoke the form's constructor and then pass the form's reference to the main...
3
by: tcomer | last post by:
Hello! I'm working on an asynchronous network application that uses multiple threads to do it's work. I have a ChatClient class that handles the basic functionality of connecting to a server and...
10
by: SQACPP | last post by:
Hi, I try to figure out how to use Callback procedure in a C++ form project The following code *work* perfectly on a console project #include "Windows.h" BOOL CALLBACK...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.