Re: FN-FORUM: PHP PostData security

date posted 27th May 2007 22:25

I think its something to do with the fact that users can change post data
whereas they cannot change session data. For example if the text is
validated on the form and then posted the page the data is sent to will
receive the validated data. If the user then changes the post data (not sure
how its done) and refreshes the page they avoid the validation on the form
page.

this is just bits and bobs i pieced together off the net so may well be way
off. Having the data in a session variable doesn't cause the 'Do you want to
ressend POSTDATA' message so i think it solves the problem (if there is
one). I can't find anything on the internet about the vulnerability so it
may well be incorrect, i just wanted to check really.

It was someone off the list, i'm not sure i'm allowed to say who though. It
just came up in conversation. They said something about if the message is
shown the site could well be vulnerable to database attacks...

Sorry all this info is so vague but i was hoping someone else could fill in
the blanks...

Thanks

James