PHP Security

binaryabraham

What security concerns are there when using php with forms? Let's say I have a form at onlineshopping.com/payment.html which POSTs the form to a script called proccess.php in the same directory. My question is: Is it possible for a hacker to POST to the script from any other html FORM. Or is it that the script will only get ouput from the form file on the same directory/webserver?

Why some poeople use seprate html and php file? I though it was more secure to put FORM and script in one file. e.g. mysite.com/index.php

planetsim

Yes. Of course its possible. If they know you feilds and such. If its going to a database its a little different the story. But its still very much possible, but some data maybe missing. You could try a file check from where it was.. try $_SERVER[referer] or something.

check this out
http://www.php.net/manual/en/language.variables.predefined.php

Weedpacket

Of course, they are likely to know your fields, because they could just look at the HTML of the form and read them off; also, if they're determined, they can fake the http_referer. There is a chapter on security in the PHP manual, including form-related issues.

There are a number of stunts you could try and pull to make sure a given form submission is valid in one way or another (depending on the particular circumstances), but the in the long run the short answer is that you should never trust data coming from the outside world to be entirely legitimate; it's just a matter of what level of paranoia you feel is justified.

planetsim

I dont think there is a web language out there today that can be extremely secure and if it was.. There would be a flaw and a good hacker would find it.

Weedpacket

I agree - in the end it's all just 1's and 0's anyway - it's not impossible that a burst of random static could successfully look like a valid user for a while.