|
|
Posted by Gordon Burditt on 10/12/30 11:39
>i'm passing session and hidden variables between pages. not to mention
>post values.
Hidden variables (fields with type="hidden" in HTML) appear at the
user's browser. They are easily seen with "view source" and easily
spoofed by that user.
Session variables are much harder to fake unless the attacker has
access to the server (to edit session data) or can sniff the
connection between the web server and a client ("session hijacking").
>i'm a little concerned that someone with sufficient knowledge could
>spoof these vlaues and manipulate the program.
>
>is this a valid concern? i'm thinking i can check the submitting page
>setting up something around the following the following code...
>
>$base_name = basename($_SERVER['PHP_SELF']);
This is going to tell you the PHP page being run, which unless you
have a lot of includes going on, isn't going to tell you anything
you don't already know. It *WILL NOT* help if the attacker sucks
down a HTML copy of your page, edits it, puts it on his own server,
points the <FORM ACTION=...> to refer to your server, and then uses
it and submits it.
REFERER might help there, but that's easily faked also.
Gordon L. Burditt
Navigation:
[Reply to this message]
|