FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Validate Radio Buttons?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Validate Radio Buttons? [message #182387 is a reply to message #182386] Fri, 02 August 2013 02:10 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 8/1/2013 9:25 PM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...
>>>
>>>>
>>>> Good practice means you ALWAYS validate ALL information from the user.
>>>> You may have a radio button on your form - but there is no guarantee the
>>>> request comes on from your form.
>>>>
>>>> I can easily build a page which has invalid information and submit it to
>>>> your site. Or even use tools like cURL to feed your site invalid
>>>> information.
>>>>
>>>
>>> Care to share the "how" of doing that, or better yet some code? This
>>> particular form isn't "live" yet or I'd put it somewhere and let you at
>>> it if I didn't have orders to the contrary from on-high :)
>>> I've done my best but it's obviously not enough or my questions
>>> wouldn't exist.
>
> To better understand potential exploits, you may start with RFC 2616,
> the specification of HTTP/1.1[1]. Then you may go along doing some
> simple telnet sessions, e.g.
>
> $ telnet example.com 80
> Trying 93.184.216.119...
> Connected to example.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
>
> HTTP/1.1 200 OK
> [...]
>
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers). You may reconstruct
> some requests done from the browser with telnet, where you may change
> some of the header fields, watching the results. A trivial example:
> create a file test.php and put it in the web root of your localhost:
>

I am *quite* familiar with the HTTP protocol, having worked with it for
close to 20 years. But there is no need to get into that level,
especially with a relative newbie like Twayne. It only confuses the issue.

A simple page with an HTML form what directs to the page is sufficient
to show how the page can be exploited.


> <?php
>
> echo $_SERVER['HTTP_HOST'];
>
> Then do:
>
> $ telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /test.php HTTP/1.1
> Host: surprise
>
> HTTP/1.1 200 OK
> Date: Fri, 02 Aug 2013 01:13:23 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> X-Powered-By: PHP/5.4.7
> Content-Length: 8
> Content-Type: text/html
>
> surprise
>
> Finally you may simplify and automate such requests by using cURL[2] or
> the PHP cURL extension[3], for example.
>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>
> As Twayne is checking the referrer, you'd have to spoof that too. Of
> course that is no big deal either, but it should be noted.
>
> [1] <http://tools.ietf.org/html/rfc2616>
> [2] <http://curl.haxx.se/>
> [3] <http://php.net/manual/en/book.curl.php>
>

Yes, it is quite simple to check the referrer. However, that's a poor
thing to check, because it isn't a required field and may not be set.
Additionally, some firewalls/security products will strip the
HTTP_REFERER before sending the data (Norton has been famous for this in
the past - I don't know if they still do it).

The result is checking HTTP_REFERER will keep out more valid users than
it will block hackers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: sql order but move some rows bottom
Next Topic: OPcache in php5.5.1 on Windows
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 01 05:29:13 GMT 2024

Total time taken to generate the page: 0.04503 seconds