bruce wrote:
thanks for the replies... i think i understand what you're stating..
but i'm still confused as to why my app/server would allow a GET/POST
piece of data that would/should be originating from a form on my site
to come from a 3rd party/external site/app? i would have assumed that
there are relatively easy/straight-forward methods to resolve this.
If you're using GET, then the URL in the user's address bar would look
like this:
http://www.example.com/myscript.php?myvar1=some&myvar2=value
It's painfully easy for even the most novice of users to edit the values
to say, for example:
http://www.example.com/myscript.php?myvar1=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%27hello%27%29%3C%2Fscript%3E&myvar2=value
Which, if you outputted $_GET['myvar1'] without htmlspecialchars()
escaping, would happily execute a JS script on your page. That's a
rather benign example (simply pops up a "hello" box), but it wouldn't be
difficult to do something worse.
Anyone else could link to your page with that URL and have the script
executed on your page. You can't stop this, so you have to escape and
validate the data coming in.
POST is a little more difficult but it is still really easy for a
slightly more clued-up user to edit the data, or another website to POST
data from their form to your script.
--
Jasper Bryant-Greene
Freelance web developer
http://jasper.bryant-greene.name/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
