style

soniared2002

Hi all,
Finally my web page is almost done, just a bit more work now.
I wondered, is it and if it is, why is it bad that users will be able to see my forms when they download teh source???
For example:
the source says :
<FORM method=post action="joinsubmitted.php">
<p style="margin-top: 0; margin-bottom: 0">COMPLETE THE INFORMATIN BELOW:
() indicates mandatory fields.<sup> </sup> </p>
<p style="margin-top: 0; margin-bottom: 0"> </p>
<p style="margin-top: 0; margin-bottom: 0"><sup> </sup>First Name:  
<input hidden name = "first" TYPE ="TEXT" size="20">
       </p>
<p style="margin-top: 0; margin-bottom: 0"><sup>* </sup>Last Name:   
<input hidden name ="last" TYPE ="TEXT" size="20">......
WHY IS IT BAD? is it bad???should i have all the prints from php :echo"....?
Thanx

trooper

if you are not running any type of security check like cookies or sessions then its bad for the following reason

People can see what pages you are posting to and what variables they are expecting.

This could lead to someone "spooffing" your site by passing "dodgy" vars etc

If on the other hand you do use a security approach and / or encrypt the form field values (get the next page to decrypt them) then it makes it harder

HTH
GM

tbach2

trooper,

I almost see your point, but I'm not quite getting it...

I'm going to make an assumption: we don't trust ANY variable that is submitted, and check each variable for fitness for use. (well, maybe that's a big assumption...)

If that's the case, then letting the hacker see the variable only confirms what we have already assumed: the variable could have evil content.

Therefore it seems to me that it's an unavoidable risk that is not exacerbated by the form.

Am I just missing something?

'course, if someone has something like <a href="template.php?id=123"> and doesn't want everybody to see be able to see template.php?id=124, then I see your point. Is this what spoofing is?

thanks