Just wondering how many of you actually use any type of secure coding
when doing form processing. I'm guilty of not doing it all the time myself,
but I'm trying to get into the habit of doing so. For example, I don't want
someone else modifying a form to auto-post values to my handler, so I would
use:
<?
if($_POST && eregi(getenv("SERVER_NAME"),getenv("HTTP_REFERER"))) {
// This is a safe POST
} elseif(!eregi(getenv("SERVER_NAME"),getenv("HTTP_REFERER"))) {
die("Illegal access. Your IP has been logged.\n");
}
?>
That's one method.... any other thoughts on that part?
Then, once the data is there, I try to remember to use addslashes(),
htmlspecialchars(), and other functions (as well as some I've written myself
over the years) to handle the data properly and securely when inserting it
into a database or processing it on anything more than a bare, basic level.
--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107
