On Mon, Aug 17, 2009 at 5:31 PM, Shawn McKenzie<nospam@xxxxxxxxxxxxx> wrote: > nashrul wrote: >> This is a newbie question... >> Let's say there are 3 php files, page1.php, page2.php and page3.php. Form >> submission from page1.php or page2.php will take user to page3.php. >> I know that we can use parameter that is appended in the action attribute of >> the form (e.g <FORM METHOD=POST ACTION="tes.php?var1=val1">) >> But I think, appending this parameter is transparent to the user, since it's >> visible in the url. >> And I think we can also use the hidden field or (form name ??.). >> So which one is most secured and better ?? >> Thanks.. > > I personally don't see a problem with using get or post vars, but to > keep the user from being able to manipulate it do this. This could also > be in a header file included at the top of all pages: > > //page1.php and page2.php > session_start(); > $_SESSION['page'] = $_SERVER['PHP_SELF']; > > //page3.php > session_start(); > $page = $_SESSION['page'] > // use $page somehow . . . > > -- > Thanks! > -Shawn > http://www.spidean.com > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > This approach degrades very simply: 1) Say you have four pages, a.php, b.php, c.php and d.php. 2) b expects user to come from a, d from c. 3) I open two tabs, a.php and c.php. 4) $_SESSION['from'] is now c.php 5) I post to b from a, get an error. $_SESSION['from'] is now b.php. 6) I post to d from c and get an error. Obviously this example is a tad bit contrived, but as long as your user is browsing your site in more than one tab/window, using that approach will break often and result in a user experience, so I'd stick away from it. As far as relying on cookies, HTTP headers, hidden form fields, etc. they are all user input, and Lesson 1 in Security 101 that you don't trust user input. Ever. I always assume that the best HTTP blackhats are after my sites when I write them and make them unnecessarily overthought, but they're secure. I even let a few (black|white|grey)hat friends of mine take a peak at the code, when I can, to get their input. If you can think of a way to exploit your code, so can someone else. And so will someone else. Generally speaking, I'm not entirely sure that this is a question that even needs an answer. I'm going to have to echo a sentiment from earlier in the thread that you need to be validating all of your data anyway, so it shouldn't matter if I POST to page3 from page2 or from page1 or from a CLI app written with curl/wget. What should matter is whether or not the data I'm POST'ing meets the security criteria that you've dictated (whatever that may be) and gets properly escaped/filtered before being entered into the database or otherwise used. I'd venture so far as to say that if you need to care about where a form is POST'd from for security, you have a flawed security model and in all likelihood a very insecure application and some serious refactoring to do. I can't imagine a situation where dictating page2 comes from page1 and page3 comes from page2 is necessary for security at all. Perhaps I'm being shortsited and you can provide some examples? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
