NYCPHP Meetup

[Chris Shiflett]

Hi Cliff,

> I've become a believer.

Wonderful. :-)

> I disable buttons that are not allowed, so only valid actions can
> be submitted, but it would be trivial to submit a button that has
> been disabled.
> 
> When I receive a button submission for a particular row, I query
> the row from the db, and check to see if this action is allowed
> based upon the status fields.

Stated differently, you're trying to be sure that the status fields you 
included in the form haven't been tampered with, right?

Carlos's suggestion is good for helping to verify integrity. It would 
also be pretty easy to modify your approach to do this instead of query 
the database. I have no idea what your SQL query looks like (which is a 
good thing), but it's a good candidate for hashing, because it 
presumably contains all of the data you're checking, you already take 
the time to construct the string, and it's something you can reliably 
reproduce.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/