On Tue, March 13, 2007 10:19 am, Todd Cary wrote: > To validate a page, I set the form value to the page name the > user is on. Then there is a hidden variable, "looped" that is > set to "1". By checking "looped", I know if the user has > re-entered the form so I can do my validation checks. > > Is there a disadvantage to this approach? If a malicious user is TRYING to mess you up, they could easily edit a copy of the form on their hard drive, and change "looped" to interesting and obvious values that will probably break your application: 0, -1, 42, ' 1; drop table mysql.user' spring to mind as "intereting" values to cram into there. :-v Consider, however, if you put an un-predictable random token in the first form output, and log that token in your session (or DB) as "valid" After the first submission, mark it as "used" At the point, the user cannot mess you up, unless they are good enough to guess the 1 in a billion chance of another valid unused token. See http://php.net/uniqid and http://php.net/md5 for how to generate an unpredictable unique token for this use. An SQL-injection attack is still possible, but an md5 is always 32 characters, so one of your sanity checks can be: $token = $_POST['token']; if (strlen($token) !== 32){ //log their IP or whatever, because they almost-for-sure are bad guy die("Invalid token. Loser!"); } $token_sql = mysql_real_escape_string($token); $query = "select used from token where token = '$token_sql'"; used is a boolean. They either used it already, and you should ignore the re-POST (or whatever you want to do) or not,and you should process it and do: $query = "update token set used = 1 where token = '$token_sql'"; The $_SESSION version is even easier... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
