Usually when I write a form in html, I put the action as :
[PHP]action="<?php echo $_SERVER['REQUEST_URI']; ?>"[/PHP]
Now in my page I obviously include() the thing I want my form to do. So how it works is it checks the variables that have been sent, and if they are what is expected then it does the rest of my code. Now why I do that is so that if you go view page source, your will only see the current pages URL in the action part.
Obviously the alternative is to have action to point straight to the file so that it actually posts the data to another file rather than itself. So I wanted to know your thoughts on if I am being over protective, or if this is standard practice, or if this is a waste of time and you have no idea why I do this?
Without hacking in the server, is there a way to view the php of a php file if you know the file location?
Cheers,
TS
7  1576  
Usually when I write a form in html, I put the action as :
[PHP]action="<?php echo $_SERVER['REQUEST_URI']; ?>"[/PHP]
Now in my page I obviously include() the thing I want my form to do. So how it works is it checks the variables that have been sent, and if they are what is expected then it does the rest of my code. Now why I do that is so that if you go view page source, your will only see the current pages URL in the action part.
Obviously the alternative is to have action to point straight to the file so that it actually posts the data to another file rather than itself. So I wanted to know your thoughts on if I am being over protective, or if this is standard practice, or if this is a waste of time and you have no idea why I do this?
Without hacking in the server, is there a way to view the php of a php file if you know the file location?
Cheers,
TS
To your last question, which should really sum everything up: there is now way for a user to view your unprocessed php pages - the php is processed on the server and before it gets to the browser. Therefore, it is impossible to read.
Imagine if people could actually intercept your php *cringe*
Regards!
To your last question, which should really sum everything up: there is now way for a user to view your unprocessed php pages - the php is processed on the server and before it gets to the browser. Therefore, it is impossible to read.
Imagine if people could actually intercept your php *cringe*
Regards!
Great! So, is it better to send the form to a script, or include() it as I described? I am presuming it makes no difference but I would just like to make sure.
Great! So, is it better to send the form to a script, or include() it as I described? I am presuming it makes no difference but I would just like to make sure.
Makes no difference my friend!
Makes no difference my friend!
Cheers, but I just thought of a potential problem. If someone knew the path to your php file, could they send a form to it? I don't think it can, because it is server side, so can only be accessed from the same server (requesting page), but I better check.
So for example, I have a update_player_money.php which accepts some form inputs and applies them appropriately to the db. If someone made their own form, to simulate mine and send it to MY php file, would it work? Or because it wouldn't be from my server it would fail?
Cheers, but I just thought of a potential problem. If someone knew the path to your php file, could they send a form to it? I don't think it can, because it is server side, so can only be accessed from the same server (requesting page), but I better check.
So for example, I have a update_player_money.php which accepts some form inputs and applies them appropriately to the db. If someone made their own form, to simulate mine and send it to MY php file, would it work? Or because it wouldn't be from my server it would fail?
No, it would work. But why is that a problem aslong as you are sanitising ALL the input before it's put into the database?
No, it would work. But why is that a problem aslong as you are sanitising ALL the input before it's put into the database?
Well, my script gets the session username, and then finds the data in the table according to that username. You use the forms to do things like train/untrain troops (online game). Now if someone worked all this out, they could send all the data I usually send (fake a form submission) including a fake session username. Why is this a problem? If they use another players username, they could do things to their account.
I have only just thought about this and I need to go through my code to see if I am in fact protected, but from memory, I think you could do this. The only way of solving it would be to have the users encrypted password stored as a session variable and check that on every load.
Well, my script gets the session username, and then finds the data in the table according to that username. You use the forms to do things like train/untrain troops (online game). Now if someone worked all this out, they could send all the data I usually send (fake a form submission) including a fake session username. Why is this a problem? If they use another players username, they could do things to their account.
I have only just thought about this and I need to go through my code to see if I am in fact protected, but from memory, I think you could do this. The only way of solving it would be to have the users encrypted password stored as a session variable and check that on every load.
OK, so after some testing, it doesn't matter it I have include() or just post the form. If someone wanted to use my php function they just send it to my form page and the include() function will run it for them anyway.
Now the major problem is, securing my session variables. If someone knew what my session variable for username was (which is my table index), they could set it to another username and then run a script to send that as well as anything they want to my php file which will do what it is supposed to?
Potentially they could tell the server to untrain, or even delete another user. Any ideas how I could stop this?
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Mike Sutton |
last post by:
I had first tried a less active PHP group, but let me try here.
I searched for this, but didn't find anything that appeared related.
Possibly I didn't know what to search for.
I am designing a...
|
by: Phil Coen |
last post by:
I have been learning PHP on my own time and have an Apache server on my
network at home. Obviously security is not a problem on this setup.
But as I begin to think about actually using code on a...
|
by: lester |
last post by:
a pre-beginner's question:
what is the pros and cons of .net, compared to ++
I am wondering what can I get if I continue to learn C# after I have learned
C --> C++ --> C# ??
I think there...
|
by: Mark Fox |
last post by:
Hello,
I've noticed in some sample code that sometimes
people use the @ before a string when concatenating
them. Example:
string filePath = Appl.Request.PhysicalApplicationPath +
@"bin\" +...
|
by: Jm |
last post by:
Hi All
Is it possible to somehow script security settings for the .Net Framework.
So in other words can i include into my setup program some sort of code to
alter the runtime security policy by...
|
by: Kurch |
last post by:
Hello,
I have an Access file saved on my company server.
Is it possible to allow selected people within my network to access a
query that I've written and allow them to read and write changes...
|
by: Don Miller |
last post by:
I have a ASP 3.0 web application that uses IIS 5.0 with W2K (with parent
paths enabled). In my research about migration to IIS6 with W2003 it says
that you need to change every INCLUDE FILE= to...
|
by: nancy |
last post by:
I am new to PHP but have done other programming
can someone please hold my hand and slowly talk me through some simple
security issues?
I have seen in PHP documents that there are 'strip...
|
by: =?Utf-8?B?aWxy?= |
last post by:
Hi All
Bit of a newbie at this stuff but was wonering if anyone could offer me some
advice on a vb application and securing data.
I have a fairly basic vb 2005 application that connects to a...
|
by: Ken Fine |
last post by:
I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
