NYCPHP Meetup

NYPHP.org

Forms & Refresh Question & General Form Security

Erik Baker EBaker at 4KidsEnt.com
Tue May 13 11:16:09 EDT 2003 

Hey All,

I wanted to start by saying how useful I find these mailing lists.  Although
this is the first time that I'm submitting a question, I have found
following the threads from other people's questions very valuable as I move
into becoming an intermediate PHPer.

That said, I have a question regarding forms and protecting them against
browser refreshes.  I have written a PHP program that emails a user's
password to their registered email address upon request.  The main program
looks like this:

	//HARVEST VARIABLES
	$query_msg = $_POST['query_msg'];
	$login = $_POST['login'];
	$email = $_POST['email'];
	
	//MAIN
	if (!empty($query_msg) && $query_msg != 'Password Found') { #Skip
MySQL query first time form is called & after password found
		GetData();
	}

	$query_msg != 'Password Found' # Leave form only when successful
		? ShowForm() # Display the form
		: ShowSuccess($login,$email); # Show Success

~GetData() goes to a MySQL database and sets the global variable $query_msg
equal to 'Password Found' if a query on their login name or email matches,
and then sends an email to their address with their password.
~ShowForm() sets up an HTML form with either login or email passed (user's
submission choice) and sends along $query_msg with it as a hidden input
type.
~ShowSuccess() is a general message that displays when the password is
found.

The problem is that someone could tinker around to find a valid user name,
then keep hitting refresh and send dozens (or more) emails to that user.
GetData() is not skipped because a refresh brings back $query_msg from
$_POST (which is the previous value of $query_msg) and not the global
variable value of 'Password Found'.

Is there a way to set the variable directly in $_POST so that it will pass
back the a newer value upon refresh?  Or is there a way to have the program
call itself again and pass new POSTed variables?

***I realized setting this form up that there are probably a dozen other
ways a malicious user could try to break any form.  Does there exist
anywhere a "Safest Form Practices" document?  I'm sure there are other
security issues that I'm not aware of that need to be guarded against.

Any help would be greatly appreciated.

Thanks,

Erik

More information about the talk mailing list