PHWinfo - Afficher un message

30/04/2008, 18h25

William Gill a écrit :
> I use a session variable to reject input from any other page.
> if ($_SESSION['secret'] != $_POST['secret'])
And what prevents the hacker from looking at your HTML output to read
the "secret" variable, then parse through your site to generate the
session (without validating the site's form), and finally validate his
own HTML form on his local computer (which "action" would be the same as
the site's one) with the opened session he has with your server ?

> Besides, I fail to see where an unset field poses a threat. One set
> with an unsafe value does, which is why I filter/validate IT not the key.
Simple example: an empty password is a threat.
Maybe not your case, but it's a trivial example coming to my mind,
meaning there could be many more example, not as trivial, but that would
create (huge or not) security holes.

Regards,
--
Guillaume

30/04/2008, 18h25	#18
Guillaume Messages: n/a Hébergeur:	Re: $_POST array question William Gill a écrit : > I use a session variable to reject input from any other page. > if ($_SESSION['secret'] != $_POST['secret']) And what prevents the hacker from looking at your HTML output to read the "secret" variable, then parse through your site to generate the session (without validating the site's form), and finally validate his own HTML form on his local computer (which "action" would be the same as the site's one) with the opened session he has with your server ? > Besides, I fail to see where an unset field poses a threat. One set > with an unsafe value does, which is why I filter/validate IT not the key. Simple example: an empty password is a threat. Maybe not your case, but it's a trivial example coming to my mind, meaning there could be many more example, not as trivial, but that would create (huge or not) security holes. Regards, -- Guillaume