no empty form fields after submitting form - Page 4

18/09/2007, 01h58

pepper.gabriela@gmail.com wrote:
>> Anyone. For instance, I could post a form to your site which has
>> anything I want on it. That's a very common way hackers get into systems.
>
>
>
>
> But, sorry for my little experience, my forms only work if you logged
> in (and you are a registered user and a session is active...). For
> sure, I should understand how hackers do what they do...
>
>

And a hacker couldn't register and get a session active? Quite easy.

>
>
>> And that means you'll never get it in the future?
>
>
>
> absolutely not
>
>
>
>> Always validate your data.
>
>
>
> ok, thanks
>

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

22/09/2007, 08h09

On 18 Set, 02:58, Jerry Stuckle <jstuck...@attglobal.net> wrote:

>
> And a hacker couldn't register and get a session active? Quite easy.
>

I don't know!
Could an hacker control the value of a specified session variable? I
hope not! :-)
How does the hacker know the name of a session variable and its right
value?

I define:

$_SESSION[$username][$randomValue] = $fixedValue;
How could the hacker infer:
- the name of the user;
- the random number (previously generated and only active when logged
in);
- the fixed value for test;

22/09/2007, 14h57

pepper.gabriela@gmail.com wrote:
> On 18 Set, 02:58, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
>> And a hacker couldn't register and get a session active? Quite easy.
>>
>
>
>
> I don't know!
> Could an hacker control the value of a specified session variable? I
> hope not! :-)
> How does the hacker know the name of a session variable and its right
> value?
>
> I define:
>
> $_SESSION[$username][$randomValue] = $fixedValue;
> How could the hacker infer:
> - the name of the user;
> - the random number (previously generated and only active when logged
> in);
> - the fixed value for test;
>
>
>

I didn't say the hacker could change the value of a session variable.
But that's not what your problem is.

What I'm referring to is someone hacker registering on your site. Then
at a later time, once he's been authorized, he hacks your site and
starts spamming. But the time you catch him, you've been shut off
because you're a spam relay.

The bottom line here is - NEVER, NEVER, EVER trust data from the user.
Always validate it server side. And always watch for hack attempts.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

18/09/2007, 01h58	#25
Jerry Stuckle Messages: n/a Hébergeur:	Re: no empty form fields after submitting form pepper.gabriela@gmail.com wrote: >> Anyone. For instance, I could post a form to your site which has >> anything I want on it. That's a very common way hackers get into systems. > > > > > But, sorry for my little experience, my forms only work if you logged > in (and you are a registered user and a session is active...). For > sure, I should understand how hackers do what they do... > > And a hacker couldn't register and get a session active? Quite easy. > > >> And that means you'll never get it in the future? > > > > absolutely not > > > >> Always validate your data. > > > > ok, thanks > -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================

22/09/2007, 08h09	#26
pepper.gabriela@gmail.com Messages: n/a Hébergeur:	Re: no empty form fields after submitting form On 18 Set, 02:58, Jerry Stuckle <jstuck...@attglobal.net> wrote: > > And a hacker couldn't register and get a session active? Quite easy. > I don't know! Could an hacker control the value of a specified session variable? I hope not! :-) How does the hacker know the name of a session variable and its right value? I define: $_SESSION[$username][$randomValue] = $fixedValue; How could the hacker infer: - the name of the user; - the random number (previously generated and only active when logged in); - the fixed value for test;

22/09/2007, 14h57	#27
Jerry Stuckle Messages: n/a Hébergeur:	Re: no empty form fields after submitting form pepper.gabriela@gmail.com wrote: > On 18 Set, 02:58, Jerry Stuckle <jstuck...@attglobal.net> wrote: > >> And a hacker couldn't register and get a session active? Quite easy. >> > > > > I don't know! > Could an hacker control the value of a specified session variable? I > hope not! :-) > How does the hacker know the name of a session variable and its right > value? > > I define: > > $_SESSION[$username][$randomValue] = $fixedValue; > How could the hacker infer: > - the name of the user; > - the random number (previously generated and only active when logged > in); > - the fixed value for test; > > > I didn't say the hacker could change the value of a session variable. But that's not what your problem is. What I'm referring to is someone hacker registering on your site. Then at a later time, once he's been authorized, he hacks your site and starts spamming. But the time you catch him, you've been shut off because you're a spam relay. The bottom line here is - NEVER, NEVER, EVER trust data from the user. Always validate it server side. And always watch for hack attempts. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email