[nycphp-talk] Forms & Refresh Question & General Form Security
Bhulipongsanon, Pinyo
Pinyo.Bhulipongsanon at usa.xerox.com
Wed May 14 12:36:33 EDT 2003
> //HARVEST VARIABLES
> $query_msg = $_POST['query_msg'];
> $login = $_POST['login'];
> $email = $_POST['email'];
Perhaps a better treatment for this would be
foreach (array_keys($_POST) as $key ) { $$key=$_POST[$key]; }
> "page_with_form.php"
> submits to
> "form_processor.php"
> which redirects to
> "page_with_form.php?status=(success|failure)"
I do this too, but instead of going back to the same page with status, I
send them to two different pages.
> You do realize you're basically trusting the user with the value of
status,
> right? I hope you're not using that for anything important.
First, can't we improve this with session variable instead of $_GET
variable?
Second, you can always check for a valid $HTTP_REFERRER, if the user change
the value in the address bar then $HTTP_REFERRER will not be set, then we
can do this:
if ((!isset($HTTP_REFERER))) { exit("access denied"); }
Pinyo
More information about the talk
mailing list