Hi everyone... i wanna ask about form n security in php...
1. I usually found in many tutorial about how to prevent SQL Injection to the database. Usually that tutorials use fuction : addslashes(), strip_tags(), mysql_escape_string(), etc.
When use that function, is the databases really / more secure from SQL Injection ?? If isn't secure what should i add to the code ??
2. When i see the CMS Open Source like Mambo, every tag <form></form>, on the "action" always have path on the Mambo installation folder on the document root without knowing the file *.php that will execute / process that form. Example, in mine path is : http://localhost/source/mambo and the example form in mambo is login form. And if i see the source by choose "view page source" on Firefox, on login form on tag <form></form> in "action" i only see path of mambo installation without knowing where file *.php that will execute the login form.
How can be like that ?? and can someone teach me ??
3. This question continue from #2, how we / server can knowing the form that user will using came from the server ??
Some user can save the page that contain a form into their Hard Disk. Coz if user know the executer file of that form, user only can change the "action" path on the form tag <form></form> and then send it to the server.
How to prevent it ??
Thanx for the answer and the respon...
best regards...
joe
0
ask about form n security ?
Started by joe, Mar 26 2007 07:46 AM
4 replies to this topic
#1
-
- Members
-
- 115 posts
Young Padawan
- Location:stuck in the middle of cyber space
Posted 26 March 2007 - 07:46 AM
#2
-
- P2L Staff
-
- 3,827 posts
PHP Master PD
- Gender:Male
- Location:Here
- Interests:Web Development
Posted 29 March 2007 - 08:32 PM
Question one is frequently asked, please use a forum search on it. I'll give you a hint though, mysql_real_escape_string() and maybe stripslashes() (depending on whether or not magic_quotes are enabled) are all you need. Calling strip_tags() on an sql string is probably the dumbest thing i've seen (but i've seen it a lot and never found a reason for it). HTML is a static language. In no way does it relate to sql, as long as you used mysql_real_escape_string() to escape any potential quotes the HTML tags may have, you're good.
Naturally. In order to save bandwidth, FEW websites output the full path, domain and all. I don't know what you mean when you talk about where *.php is. If you're saying all the action tag has is a path and no file name, then i would assume that mambo's index file handle's posts. I've never used it so i can't tell.
3. I would check the $_SERVER['HTTP_REFERER'] variable. But be careful with it, some anti-virus software block that variable for some dumb reason.
Quote
i only see path of mambo installation without knowing where file *.php that will execute the login form.
3. I would check the $_SERVER['HTTP_REFERER'] variable. But be careful with it, some anti-virus software block that variable for some dumb reason.
#3
-
- Members
-
- 115 posts
Young Padawan
- Location:stuck in the middle of cyber space
Posted 31 March 2007 - 12:49 PM
rc69 : i will reply this post and the last one soon as possible...
You're right....
Thanx 4 correct me again rc69...
Naturally. In order to save bandwidth, FEW websites output the full path, domain and all. I don't know what you mean when you talk about where *.php is. If you're saying all the action tag has is a path and no file name, then i would assume that mambo's index file handle's posts. I've never used it so i can't tell.
3. I would check the $_SERVER['HTTP_REFERER'] variable. But be careful with it, some anti-virus software block that variable for some dumb reason.
(The bold words)
Yes rc69, that's what i mentioned... in action tags there's no file name *.php that will process that form...
But, if i output the full path did i create a security hole in my website ??? and by the way, can u explain to me how output the full path can save bandwith ??
Yes, i've planned to use $_SERVER['HTTP_REFERER'] in my form... but, HTTP_REFERER come from user, right ?? so user can change it, right ?? Correct me if i'm wrong...
And, what should i do to make a secure form ??
Thanx 4 ur respon and anwers...
Best Regards...
Joe
rc69, on Mar 30 2007, 08:32 AM, said:
Question one is frequently asked, please use a forum search on it. I'll give you a hint though, mysql_real_escape_string() and maybe stripslashes() (depending on whether or not magic_quotes are enabled) are all you need. Calling strip_tags() on an sql string is probably the dumbest thing i've seen (but i've seen it a lot and never found a reason for it). HTML is a static language. In no way does it relate to sql, as long as you used mysql_real_escape_string() to escape any potential quotes the HTML tags may have, you're good.
You're right....
Thanx 4 correct me again rc69...
rc69, on Mar 30 2007, 08:32 AM, said:
Quote
i only see path of mambo installation without knowing where file *.php that will execute the login form.
3. I would check the $_SERVER['HTTP_REFERER'] variable. But be careful with it, some anti-virus software block that variable for some dumb reason.
(The bold words)
Yes rc69, that's what i mentioned... in action tags there's no file name *.php that will process that form...
But, if i output the full path did i create a security hole in my website ??? and by the way, can u explain to me how output the full path can save bandwith ??
Yes, i've planned to use $_SERVER['HTTP_REFERER'] in my form... but, HTTP_REFERER come from user, right ?? so user can change it, right ?? Correct me if i'm wrong...
And, what should i do to make a secure form ??
Thanx 4 ur respon and anwers...
Best Regards...
Joe
#4
-
- P2L Staff
-
- 3,827 posts
PHP Master PD
- Gender:Male
- Location:Here
- Interests:Web Development
Posted 31 March 2007 - 04:13 PM
What i meant was, if you output the full path (domain and all), it is a waste of bandwidth. Granted, when you only have one form, you'll never notice it, but if you have a dozen forms and every one as the domain in the action, it can add up.
The relative path, the part after where the domain would be, that is required no matter what. Neither is a security hole, they're just facts of life. If no file name is processed, then i'm willing to be that the index handles it some how, but again, i've never used mambo or anything like that.
I'm not 100% sure where the HTTP_REFERER comes form, but i know if anti-virus software can block it, then i'm sure a user who knows what they are doing could probably change it.
Unfortunately, there is no gosple to creating a secure form. The only thing i can recommend is looking through the form and security sections to see if anything pops out.
http://www.pixel2lif...p_coding/forms/
http://www.pixel2lif...oding/security/
The relative path, the part after where the domain would be, that is required no matter what. Neither is a security hole, they're just facts of life. If no file name is processed, then i'm willing to be that the index handles it some how, but again, i've never used mambo or anything like that.
I'm not 100% sure where the HTTP_REFERER comes form, but i know if anti-virus software can block it, then i'm sure a user who knows what they are doing could probably change it.
Unfortunately, there is no gosple to creating a secure form. The only thing i can recommend is looking through the form and security sections to see if anything pops out.
http://www.pixel2lif...p_coding/forms/
http://www.pixel2lif...oding/security/
#5
-
- Members
-
- 115 posts
Young Padawan
- Location:stuck in the middle of cyber space
Posted 02 April 2007 - 01:00 PM
rc69, on Apr 1 2007, 04:13 AM, said:
What i meant was, if you output the full path (domain and all), it is a waste of bandwidth. Granted, when you only have one form, you'll never notice it, but if you have a dozen forms and every one as the domain in the action, it can add up.
The relative path, the part after where the domain would be, that is required no matter what. Neither is a security hole, they're just facts of life. If no file name is processed, then i'm willing to be that the index handles it some how, but again, i've never used mambo or anything like that.
I'm not 100% sure where the HTTP_REFERER comes form, but i know if anti-virus software can block it, then i'm sure a user who knows what they are doing could probably change it.
Unfortunately, there is no gosple to creating a secure form. The only thing i can recommend is looking through the form and security sections to see if anything pops out.
http://www.pixel2lif...p_coding/forms/
http://www.pixel2lif...oding/security/
The relative path, the part after where the domain would be, that is required no matter what. Neither is a security hole, they're just facts of life. If no file name is processed, then i'm willing to be that the index handles it some how, but again, i've never used mambo or anything like that.
I'm not 100% sure where the HTTP_REFERER comes form, but i know if anti-virus software can block it, then i'm sure a user who knows what they are doing could probably change it.
Unfortunately, there is no gosple to creating a secure form. The only thing i can recommend is looking through the form and security sections to see if anything pops out.
http://www.pixel2lif...p_coding/forms/
http://www.pixel2lif...oding/security/
Thanx you very much rc69 for your answers...
Mmmmm... i must learn alot about security...
rc69, you absolutely right...
rc69, thanx alot...
best regards...
joe
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
