Good topic. It's touched on here and there in other questions, but always good to hit it head-on from time to time too.
First, mysql_real_escape_string() for inserting into MySQL and whatever equiv you can find for whatever other database you may be using. addslashes() isn't so hot for database stuff.
Second, I'm not sure you can rely on HTTP Referrer. Correct me if I'm wrong, but I believe it can be forged. You can't rely on anything being received from the client for any kind of security checking.
If you have your users logging into a system, one method would be to start a session when they log in and store that session ID in your database. Whenever the user accesses a page, their session ID can be checked against what's stored as their last used session. If they don't match, log them out and request re-authentication. Couple this with a check to see when their last access was so you can time them out and it's not a half bad method of making sure only the proper user is accessing the system.
I know, I said you can't rely on what the client sends and I guess session ID could be part of that. But session IDs are a little less static than "server name". If someone was monitoring your network traffic, they'd see all your clients sending the same referrer and could use that whenever they felt like it. The session ID is a little more transient. You could even destroy and create new sessions to help prevent someone from snagging a valid session ID that may be active all day and using it.
I'm sure there's at least a dozen decent methods of making sure your pages and forms are accessed by the people who you want to access them. With varying degrees of security balanced with useability. Just thought I'd toss out some stuff to chew on.
-TG
= = = Original message = = =
Just wondering how many of you actually use any type of secure coding
when doing form processing. I'm guilty of not doing it all the time myself,
but I'm trying to get into the habit of doing so. For example, I don't want
someone else modifying a form to auto-post values to my handler, so I would
use:
<?
if($_POST && eregi(getenv("SERVER_NAME"),getenv("HTTP_REFERER")))
// This is a safe POST
elseif(!eregi(getenv("SERVER_NAME"),getenv("HTTP_REFERER")))
die("Illegal access. Your IP has been logged.\n");
?>
That's one method.... any other thoughts on that part?
Then, once the data is there, I try to remember to use addslashes(),
htmlspecialchars(), and other functions (as well as some I've written myself
over the years) to handle the data properly and securely when inserting it
into a database or processing it on anything more than a bare, basic level.
--
Daniel P. Brown
[office] (570-) 587-7080 Ext. 272
[mobile] (570-) 766-8107
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
