Loading ...
Sorry, an error occurred while loading the content.

Re: Form Problem.

Expand Messages
  • Thanos Chatziathanassiou
    Well, the previous post pretty much posed an interesting question.. Since you re going to verify everything yet again, as the user is moving to purchase,
    Message 1 of 5 , Jul 21, 2003
    • 0 Attachment
      Well, the previous post pretty much posed an interesting question..
      Since you're going to verify everything yet again, as the user is moving
      to purchase, what's the problem with a bad guy playing around with the
      form a bit ?
      Anyways, here we go...

      KUNAL PAREKH wrote:

      >If I make a session variable like this:
      >$Session->{SomethingRandom} =
      >"Qty_$itemCode=2&Qty_$itemCode=3......"
      >
      >That could work. However can this session variable be
      >made on the same page as "products.asp" as soon as the
      >form "Submit" button is clicked? If yes please let me
      >know how.
      >
      Actually, I was thinking more in the sense of:
      --snip products.asp--
      <%
      $Session->{'random'} = time();
      %>
      <form action="verify.asp"......
      --snip products.asp--

      --snip verify.asp--
      <%
      if ($Session->{'random'} < (time()-7200) ) { # $Session->{'random'}
      has not been set in the last 2 hours....
      die "Bad boy!!!\n";
      }
      ....
      %>
      --snip verify.asp--

      >>b) check the HTTP_REFERER and reject if it's not the
      >>one You're
      >>expecting (the page the form is in)
      >>
      >>
      >I will have to read more about this. I am not familiar
      >with this method.
      >
      Something like :
      --snip verify.asp--
      <%
      if ($Request->ServerVariables('HTTP_REFERER') !~ /products\.asp/) {
      # HTTP_REFERER SHOULD point to the page where the user was selecting
      products
      die "Bad boy!!!\n";
      }
      ....
      %>
      --snip verify.asp--

      >>c) using POST instead of GET, so as not to worry
      >>about the amount of
      >>user input (and making it a little more complicated
      >>to ``fabricate'' a
      >>request by hand).
      >>
      >>
      >
      >The problem with POST and GET method is I will have to
      >name each form variable. This is not possible in my
      >case as I am naming the variables as "Qty_$itemCode"
      >where $itemCode comes from the "products" database and
      >I expect it to change very often. I think I understood
      >right what you were saying however if I missed the
      >point let me know.
      >
      I didn't realize the You're parsing the QueryString by hand..
      You can, of course do the same with POST, just look for $Request->Form
      (reference to a hash - see Apache::ASP site for details) and iterate
      over the keys.
      Or even (OK, I know I'm pushing things a bit, but), if you don't feel
      comfortable wit that...
      how about creating a hidden form element, where you just name the fields
      you should be collecting, something like
      <input type="hidden" name="index" value="Qty_$itemCode">

      >>d) obfuscating the form input, so as not to make it
      >>so obvious.
      >>
      >>
      >No. There is no limitation of obfuscation. There is
      >always a possiblity of someone outsmarting you.
      >
      Fair enough...

      Regards,
      Thanos Chatziathanassiou




      ---------------------------------------------------------------------
      To unsubscribe, e-mail: asp-unsubscribe@...
      For additional commands, e-mail: asp-help@...
    Your message has been successfully submitted and would be delivered to recipients shortly.