On Wednesday 01 June 2005 22:33, you wrote: > > > elseif(count($_POST)>0) > > foreach($_POST as $key=>$value) > > if( ($key!=='login') && ($key!=='name') && ($key!=='pass') ) > > $hiddens.=<<<_hid_ > > <input type="hidden" name="$key" value="$value">\n\t > > _hid_; > > But what happened here? Why do you assume POST data is safe? You're right it isn't. Thanks! > > > if( (array_key_exists('savereferer',$_GET)) && > > ($_GET['savereferer']=='yes')) > > {safeReferer($ref,$chksum); > > $hiddens.=<<<_ref_ > > <input type="hidden" name="referer" value="$ref">\t > > \t<input type="hidden" name="checksum" value="$chksum"> > > _ref_; > > } > > I don't see where $ref comes from. I am assuming it somehow trickles > down from HTTP_REFERER? If so, did you clean it? Here is the function safeReferer function safeReferer(&$referer,&$checksum,$default=PAGE_PAGESTORE) {#small piece of code to safely include referers in html code #+ get referer, save it in the form with a digest code with some noise #+ on request, verify the by adding the noise to the referer and calculating the digest code. #+ if it does not match, use standard page as referer $referer=htmlspecialchars(urlencode( @ $_SERVER['HTTP_REFERER'])); if($referer=='') $referer=$default; $checksum=makeCheckSum($referer); $req_ref=$req_chk=null; if( (!(empty($_POST['referer']))) && (!(empty($_POST['checksum']))) ) {$req_ref=$_POST['referer']; $req_chk=$_POST['checksum'];} elseif( (!(empty($_GET['referer']))) && (!(empty($_GET['checksum']))) ) {$req_ref=urlencode($_GET['referer']); #parameters passed urlencoded are automatically decoded by php! $req_chk=$_GET['checksum'];} else makeCheckSum($referer); if(!(is_null($req_ref))) {if(makeCheckSum($req_ref)==$req_chk) {$referer=$req_ref; $checksum=$req_chk;} else {$referer=urlencode($default); $checksum=makeCheckSum($referer);} } return urldecode($referer); } function makeCheckSum($input) {$noise="+++some'(-546%noise#*"; $checksum=sha1(md5("$input$noise")); return $checksum; } Thank you With kind regards Andy -- Registered Linux User Number 379093 -- --BEGIN GEEK CODE BLOCK----- Version: 3.1 GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++ L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e>++++$@ h++(*) r-->++ y--()>++++ -- ---END GEEK CODE BLOCK------ -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php