How do I fake POST VARS

gabriel

I have a multi-level page and I was wondering if there is a way to send POST VARS to the next level of the page using a regular hyperlink?

I don't want to use GET VARS for secutity reasons.

bubblenut

Not with a hyperlink no. What about sessions?

paulnaj

Hi gabriel,

First off, POST vars are no more secure than GET vars. Any 'hacker' will be able to get hold of the POST vars just as easily as GET vars.

The only differences are ...
1) GET vars show up in the address bar and POST don't.
2) Pages that have had POST vars sent to them are not easily refreshed.

Just thought I'd make that absolutely clear.

Having said that, you could build a form that only contains hidden fields containing the data you need to pass on and a submit button as the 'link'.

Paul 🙂

sidney

you can make a form act just like and look like a hyper link

<form action="page.htm" method="post"><input name="data" type="hidden" value="yourdata">
<input name="SUBMIT" type="submit" style="color: #0000FF;
	background-color: #FFFFFF;
	border: none;
	cursor: hand;
	text-decoration: underline;" value="CONTINUE TO DOWNLOAD &gt;&gt;&gt;"></form>

paulnaj

Hey Sidney,

That's a beauty! I'm a-gonna nick that :evilgrin:

Paul.

gabriel

I use this code to keep individuals from muddling with the GET vars after submiting a form. Is this really secure though??

if(isset($_POST['mode'])){
srand(encrypt());
$verify = rand();
$_SESSION['proc'] = rand();
@$_SESSION['nvars'] = $verify.":$mod:$uid:$storyid:$chs:";
go($go=$PHP_SELF."?mode=".$vars_mode."&id=".$_SESSION['nvars']."norm");
}

//New page starts here

if(@$vars_id == $_SESSION['nvars']."norm"){
}elseif(@$vars_id == $_SESSION['nvars'].$_SESSION['proc']){
}elseif(@$vars_id == $_SESSION['nvars'].$_SESSION['proc'] && $vars_move){
}else{
go($go=$PHP_SELF);
}

PHPMagician

I myself do not really get that code. Where does vars_id, norm, etc, originate from. Also, if the braces are going to be empty may as well check that all them conditions are true or false in one control statement instead of 3 empty ones.

gabriel

Originally posted by PHPMagician
I myself do not really get that code. Where does vars_id, norm, etc, originate from. Also, if the braces are going to be empty may as well check that all them conditions are true or false in one control statement instead of 3 empty ones.

Sorry about my sloppy coding skills. First off $vars_id is the variable passed on in the address bar. What the code is supposed to do is, send the user back to the first level of the page (square one) if they muddle with the variables in the address bar. I was just wondering if this method would work or not?

On a form, right after clicking submit it will go through the first part saving a random number and other variables, all seperated by a ":". This is all saved in a single session variable Then the page refreshes. The second time it goes through it skips the first part and just varifies the session vars with the vars in the address bar.

I just need to know if this is secure?

PHPMagician

Coding like this, while now might make sense, will cause problems if you want to update your application and maintain it. I suggest you scrap this idea, and instead just make sure you validate everything separately. If a user is muddling with GET vars, this should be discovered by you're control structures and variables should sanitized where appropiate (ie. database querying, displaying, etc).

You should use the super-globals in the form of $_*, where star can be for instance:
GET
POST
COOKIE
.....

and so on.

Then, turn register globals off. This will enhance security and allow you to track variables origination better.

Good Luck

gabriel

PHPMagician

Thanks for pointing me in the right direction. 🙂