Securing PHP/MySQL...

Kidijs Active Member

Messages:: 112

Likes Received:: 2

Best Answers:: 0

Trophy Points:: 55

#21

kmap, what a strange copy from the php manual you got there. please don't scare people like that.

Kidijs, Nov 10, 2007 IP

kmap Well-Known Member

Messages:: 2,215

Likes Received:: 29

Best Answers:: 2

Trophy Points:: 135

#22

Hmm is it something wrong i have posted

Regards

Alex

kmap, Nov 10, 2007 IP

matthewrobertbell Peon

Messages:: 781

Likes Received:: 35

Best Answers:: 0

Trophy Points:: 0

#23

preg_match is your friend

matthewrobertbell, Nov 10, 2007 IP

junandya Member

Messages:: 79

Likes Received:: 1

Best Answers:: 0

Trophy Points:: 43

#24

armatik said: ↑
What you could also do is you could automatically assign a 'guest' session ID to everyone that goes on your website, and then in the form, create a hidden input that's something like:
<input type="hidden" value="'. $_SESSION['id'] .'" />
HTML:
And then, in your processor file, check that the current session id of the user accessing that processor page is the same as the posted session id. This will prevent people from using remote forms.
Click to expand...
As you said there, i agree with your opinion to use $_SESSION['id'], but i just thinking, if someone have logged in,....he still use the same browser, and then he opens his own php form that he had modified,....so he can use his own form & still have their session id also,....so he still can attack the website,.....is this right what i'm talking about????

junandya, Nov 10, 2007 IP

killaklown Well-Known Member

Messages:: 2,666

Likes Received:: 87

Best Answers:: 0

Trophy Points:: 165

#25

junandya said: ↑

As you said there, i agree with your opinion to use $_SESSION['id'], but i just thinking, if someone have logged in,....he still use the same browser, and then he opens his own php form that he had modified,....so he can use his own form & still have their session id also,....so he still can attack the website,.....is this right what i'm talking about????
Click to expand...

Wouldn't checking the referring url before putting the data into the database work?

(HTTP_REFERER)

killaklown, Nov 10, 2007 IP

Smyrl likes this.

garbageman Peon

Messages:: 29

Likes Received:: 0

Best Answers:: 0

Trophy Points:: 0

#26

Referrers can be faked. There's a nice little firefox plugin called Refcontrol.

garbageman, Nov 10, 2007 IP

armatik Peon

Messages:: 27

Likes Received:: 2

Best Answers:: 0

Trophy Points:: 0

#27

Well, you could add that in for extra security, because there's ways around everything.

As you said there, i agree with your opinion to use $_SESSION['id'], but i just thinking, if someone have logged in,....he still use the same browser, and then he opens his own php form that he had modified,....so he can use his own form & still have their session id also,....so he still can attack the website,.....is this right what i'm talking about????
Click to expand...

Sessions aren't like cookies.. I mean they are, but I think what you're thinking in terms of functionality is a cookie. The user wouldn't have that session on another website, just that one.

armatik, Nov 10, 2007 IP

killaklown Well-Known Member

Messages:: 2,666

Likes Received:: 87

Best Answers:: 0

Trophy Points:: 165

#28

Ive added reCAPTCHA to the registration page, would this stop people from being able to spam it from remote forms?

killaklown, Nov 10, 2007 IP

armatik Peon

Messages:: 27

Likes Received:: 2

Best Answers:: 0

Trophy Points:: 0

#29

killaklown said: ↑

Ive added reCAPTCHA to the registration page, would this stop people from being able to spam it from remote forms?
Click to expand...

What is reCAPTCHA exactly, and what does it do?

armatik, Nov 11, 2007 IP

Log in or Sign up

Securing PHP/MySQL...

Kidijs Active Member

kmap Well-Known Member

matthewrobertbell Peon

junandya Member

killaklown Well-Known Member

garbageman Peon

armatik Peon

killaklown Well-Known Member

armatik Peon

Useful Searches