I’ve been reading up on PHP lately and Validation of user input is a common topic for obvious reasons. I’m not really into the hacking scene, or doing anything malicious but out of curiosity I don’t understand how a malicious user would be able to change POST information. To clarify, here’s an excerpt out of the book I’m reading:
If a user can enter his or her state
free form, then you have exposed
yourself to getting sates like
- New Yrok (Typo)
- Lalala (intentionally obscured)
A common tactic used to address this
is to use drop down option boxes to
provide users a choice of state. This
only solves half the problem, though:
You’ve prevented people from
accidentally entering an incorrect
state, but it offers no protection
from someone maliciously altering
their POST data to pass in a
non-existent option.
– “Advanced PHP Programming by George Schlossnagle”
How would one even go about doing this, I understand why to prevent this, but it seems backwards in my logic to prevent something that I don’t fully understand.
Thanks
You can not assume that the processtheform.php will only get posted data from yourform.html. If they create their own html form on their own system (or anywhere else) they could use that to post to your processtheform.php code.
If processtheform.php took say a username (email address) which was hidden in the form and used it for sending that person an email then a hacker could potentially change that information and have your program send people spam.
Basically you can not depend on front end script on yourform.html to make certain the data is clean and sent as it should be. processtheform.php needs to check and clean the data even if your front end code already does it.
Only advantage to the front end cleaning is it keeps the user on the same page and allows him to enter in correct data before submitting – if that is not done on the front end the user may need to re-enter all his info.