Security Question

NateDawg

I just wanted to ask how do I make sure the only information that goes into my database is the information submitted from my script. I'm working on a script that I eventually want to make public and I wouldn't want people changing the form action and submitting information to other webservers that are running the same script.

Thanks in advance for any help,
Nate

Nate

I guess i dont quite understand. The only data that will go into your database is the data you put into it. No other websites (unless they have your mysql user/pass) will be able to insert data into your database whether you change the form action or they have the same scripts or whatever.

rehfeld

you could use sessions to prevent other websites from submitting data, but its not foolproof.

heres a simple example of the concept

-the page that outputs the form to them

<?php

session_start();
$_SESSION['allowed'] = true;

echo '<form> blah'; // show them the form


?>

-the page that receives the form

<?php

session_start();
if (!isset($_SESSION['allowed'])) {
    exit; // they did not get a form from our website
} else {
    // accept it
}



?>

but, like i said its not foolproof. a user could just goto your website, look at your form to get thier session started, then use thier own form to submit the data, and it would allow them.

the real thing you need to do is realize you simply cannot trust user input, whether you gave them the form or not, they can still send any data they want. you just cannot stop people from sending information to your server, all you can do is validate it and decide what to do with it.