HTML/Middle-click/Security question...
Zbigniew Koziol
softquake-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Sat Mar 10 19:22:07 UTC 2007
On Saturday 10 March 2007 12:05, Madison Kelly wrote:
> - To prevent users trying to pass variables manually I wanted to
> restrict the program to only pick up variables that were POST'ed (which
> brings me to this thread). I've seen so many attacks that worked by
> passing screwed up strings after the script name (my logic for this).
> Also, I check that the source of the POST was my server (to hopefully
> prevent an attacker from making their own form on another server).
As someone noticed, there is in principle no much difference between POST and
GET. GET is easier to be manipulated by loosers who have no idea about
computers. POST requires intercepting HTTP requests, which is, however,
trivial as well.
Never ever determine values of GET or POST parameters in an automatic way, by
searching for supplied names of parameters. Instead, always use something
like this (PHP example):
$myvariable = $_POST['myvariable'];
No, JavaScript is not unsecure. It is however unsecure when JavaScript is
written in silly way or when viewers of web page are silly.
The best Internet security is achieved when one does not use the Internet at
all.
> I am quite curious to know how people go about protecting against
> user's manually creating URLs with bogus/malicious code/variables.
>
zb.
> Madison
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list