PHWinfo - Afficher un message

30/04/2008, 18h46

Guillaume wrote:
> William Gill a écrit :
>> I use a session variable to reject input from any other page.
>> if ($_SESSION['secret'] != $_POST['secret'])
> And what prevents the hacker from looking at your HTML output to read
> the "secret" variable, then parse through your site to generate the
> session (without validating the site's form), and finally validate his
> own HTML form on his local computer (which "action" would be the same as
> the site's one) with the opened session he has with your server ?
$secret is not a static value it's generated using a random number
algorithm when the session starts, and expires when the session expires.

>> Besides, I fail to see where an unset field poses a threat. One set
>> with an unsafe value does, which is why I filter/validate IT not the key.
> Simple example: an empty password is a threat.
> Maybe not your case, but it's a trivial example coming to my mind,
> meaning there could be many more example, not as trivial, but that would
> create (huge or not) security holes.
I validate every field's submitted value, even if a hacker got one in,
it wouldn't meet muster. The original question related to checking to
see if the field was set, which apparently it always is, even when empty.

I'm not trying to be argumentative, I am really trying to be sure what
I'm doing is what I think.

30/04/2008, 18h46	#20
William Gill Messages: n/a Hébergeur:	Re: $_POST array question Guillaume wrote: > William Gill a écrit : >> I use a session variable to reject input from any other page. >> if ($_SESSION['secret'] != $_POST['secret']) > And what prevents the hacker from looking at your HTML output to read > the "secret" variable, then parse through your site to generate the > session (without validating the site's form), and finally validate his > own HTML form on his local computer (which "action" would be the same as > the site's one) with the opened session he has with your server ? $secret is not a static value it's generated using a random number algorithm when the session starts, and expires when the session expires. >> Besides, I fail to see where an unset field poses a threat. One set >> with an unsafe value does, which is why I filter/validate IT not the key. > Simple example: an empty password is a threat. > Maybe not your case, but it's a trivial example coming to my mind, > meaning there could be many more example, not as trivial, but that would > create (huge or not) security holes. I validate every field's submitted value, even if a hacker got one in, it wouldn't meet muster. The original question related to checking to see if the field was set, which apparently it always is, even when empty. I'm not trying to be argumentative, I am really trying to be sure what I'm doing is what I think.