Posted by Jose Angel Sanchez on 02/10/05 17:51

I've found a way to avoid this problem...

I have two pages:

Form to fill <submit> -> execute

www.mypage.com/index.php?action=form

<submit>

www.mypage.com/index.php?action=execute&param1=asd&param2=adasd....

Before my form is sent to client (after login...) I do that:

$hash=md5($generated_string)

$_session['formID']=$hash

and output a <input type=hidden name=hash value=$hash>

Then you fill the form and send all data and hash. Next step is to read
URL to get action to do ("action" is a parameter on my page, and
"execute" on this case)

So when I enter "execute" first time I check $_post['hash'] and look up
for it on my $_session['formID'], if found it executes code and unset
the $_session['formID'], if refresh on execution my $_session['formID']
is not found and not execute. If refresh on form, form is blank and both
form and session variable hash is set.

I think this has security enough for not my app. Isn't it?

Does it has any known security hole? Is it right? Other way to do that?

I don't speak English very well, sorry :$


-----Mensaje original-----
De: Jose Angel Sanchez (Jone) [mailto:jassuarez@mi.madritel.es]
Enviado el: miércoles, 09 de febrero de 2005 14:49
Para: php-general@lists.php.net
Asunto: [PHP] Refresh Problem

Hi

First of all: I'm sorry for writing errors - I don't speak English too
much (spanish)

I'm building an application which works that way:

I use url parameters to set zone (document location), actions and
params.

I've badly make security part so only registered people
($_session['USER'] <- which is set after check Login/pass form) can
access different zones but my problem is on refreshing page that
contains action

i.e.
http://www.mypage.com?index.php&zone=contact&action=newcontact&name=geor
ge

only registered/valid users can make this zone code runs

my pseudocode basicly works this way:

function contactzone (no params)

get URL parameters (like $action=$_get['action']

<some code>

switch ($action)

case 'new'
$html.= show form (on submit set action to
'newcontact'
break;
case 'newcontact'
Insert on database
On success -> $html
Default
Show simple $html
}
<some code>

return $html


My problem is on refresh or back events on navigator; the action will
execute again.

How do I prevent that? Session variables? Check a single table storing
used hashes sent by form (generated with md5 or any) on all forms
containing actions event for all tables? What do you think?

Sorry again and thx for reading and helping :D

j0n3


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

• Prev in thread: AW: [PHP] Refresh Problem
• Next in forum: Re: [PHP] Magic Quotes
• Prev in forum: RE: Student Suspended
• Thread view: Refresh Problem

[Reply to this message]