Re: Multi Page Form

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Using hidden fields is not less secure than using visible fields - or session variables which were filled out by end user input.

Hidden fields can be modified but so can any other field and you need to check that the values you receive are expected and proper before you process them. There are probably some good articles on this (better than what I can come up with off the top of my head) but for each field you need to check:

-is it the type you expect? Within the range you expect? (if you expect an integer between 1 and 10 then make sure that's what you got).

-if this is text be sure there's no embedded SQL or java script in it (I've seen some really amazingly effective hacks with just a few lines of code in a guest book or comments field).

-never return the SQL on an error (this is really useful as you debug you app - it's just as useful to the hacker)
for example don't do this:
$myQuery = "SELECT id, name FROM foo WHERE name like '" . $_POST["name"] . "'"
$result = mysql_query($myQuery, $link) or die("SQL Error: " . $myQuery);

-never store the SQL you want to run in a hidden field (God knows why you'd ever want to do that anyway)

-do the values make sense? If someone is ordering something from your store does the price match the price in your DB? Or the sum of prices? (It's actually a bad idea to take information like price and to route it through the end users browser; you may want to display it but always look it up from your DB).

-if there is an error what does the error look like? It should not reveal anything about your data, database, structure,....

Good Luck,
Frank

On Oct 4, 2004, at 7:31 PM, php-db-digest-help@xxxxxxxxxxxxx wrote:

From: Stuart Felenstein <stuart4m@xxxxxxxxx>
Date: October 4, 2004 1:28:04 PM PDT
To: php-db@xxxxxxxxxxxxx
Subject: Multi Page Form


Not sure if I posted about this yesterday, anyway new
question.
I'm building a multi page form.  So I"m using hidden
fields and echoing them to the next page in the loop.

Now someone tells me this is dangerous.
"because someone can save the final page (with most
of the hidden values) locally, edit it, then load it
and submit from it to your final page, overcoming ALL
your previous validations. (yes, this is possible
for someone that knows how to ditch the HTTP_REFERRER
information)"

So, a) guess  I'd like to see if this is true.  I
thought HTTP_REFERRER was the server variable for
grabbing everything before the script.  Aside from
that there is nothing in the URL.

I see these forms quite a bit.  What do people think ?

Thank you,
Stuart
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux