Posted by Peter Fox on 10/22/42 11:39

Following on from Skeets's message. . .
>i'm passing session and hidden variables between pages. not to mention
>post values.
>
>i'm a little concerned that someone with sufficient knowledge could
>spoof these vlaues and manipulate the program.
>
>is this a valid concern? i'm thinking i can check the submitting page
>setting up something around the following the following code...

Anything that can be seen can be hacked. So for example
<a href="deleteuser.php?id=44">remove your record</a>
would be a seriously bad idea! Hidden fields are also useless in this
respect.

So carry as much state as you can across in the session
AND
make all inputs/addresses hack-proof.


ONE way to do this is
[Untested code]
$r = rand(1000,1111111111);
$_SESSION['privatelinks'][$r] = $theStuffYouWouldPutInAnAddressEgID;
// could be a whole array or a serialized object
print("<a href=\"nextpage.php?J=$r\">Click here to do something</a>");

in nextpage.php you can do something like:-
$j = $_GET['J'];
$args = $_SESSION['privatelinks'][$j];
// now do something with $args
// (don't forget to unset $_SESSION['privatelinks'])
// Carefully think through the various error scenarios and how you will
respond.


I also tend to validate the 'came-from' to stop inappropriate bookmarks.


--
PETER FOX Not the same since the bra business went bust
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

[Back to original message]