Passing value outside of URL

Galavantes

I'm sure this is a very basic question, thats why I'm posting in newbie forums. ^_
I need to pass a variable from a form to a PHP program -without- the item being listed in the URL ie: testpage.php?cash=900. Obviously anyone can type in their own value into the URL field tp bypass my program. How can I pass an invisible value to a PHP page?

Btw I do not have access to the server config so I cannot disable register_globals

Thanks!

laserlight

You could pass by the POST method using a hidden form input control... but that doesnt stop a determined person from passing alternative data using say, his own form.

Basically, you cannot trust input from the client. If the client can send you something, the client can send you something that you do not expect.

Galavantes

I used the following code:

//store variables in hidden fields
print <<<HERE
<input type = "hidden"
name = "secondRoll"
value = "$secondRoll">

HERE;

But the url still comes up as .php?cash=whatever&secondRoll=whatever

Am I missing something with the hidden fields?

laserlight

Your form needs to have method="post"

But as I said, this is still not foolproof.

ClarkF1

did you have method="POST" in the <form> tag

You then reference the variables using the $_POST array

Galavantes

Gotcha, Thanks for the help.
I'm still very new to PHP and some of the more solid security methods are a bit above me atm. So right now I'm just trying to lock down the really huge holes like that one. ^_

leatherback

Galavantes wrote:
Btw I do not have access to the server config so I cannot disable register_globals

Then make sure that EVERY variable your scripts use, is defined initially by you. So at the top of the script set each variable to a default value for that variable:

$var1 = "";
$var2 = 1;
$var3 = 0;

Then you at least make sure that they cannot sneak a variable past you. When you need something from the passed variables, you just get it:

$var1 = $_POST['somevar'];

But I would suggest contacting your hosting provider, to see whether they can modify it. And I think you can do a ini_set() in your scripts..?

bradgrafelman

Galavantes wrote:
Btw I do not have access to the server config so I cannot disable register_globals

Then you have two options as I see it:

See if your host allows .htaccess files. If so, make one in the root of your website, that looks like so:
```
php_flag register_globals off
```
Drop your current host and get a sensible one.

laserlight

I'm still very new to PHP and some of the more solid security methods are a bit above me atm. So right now I'm just trying to lock down the really huge holes like that one.

The problem is that the security hole remains, just that it requires a little more work to exploit.

Possible variable poisoning with register_globals on is nothing compared to the security problem of someone spoofing the form or using a browser plugin to alter the form value. The solution to this problem depends on what exactly you want to do.