Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

Re: FN-FORUM: PHP PostData security

date posted 27th May 2007 22:31

On Sun, May 27, 2007 at 08:13:26PM -0000, James Herrington wrote:
>
> Hi,
>
> I was informed recently of a security risk with post data submitted from
> forms in PHP. I was told that if a message is displayed asking the user to
> ressend data when the page is refreshed then the website is potentially
> insecure.

I think that your informant demonstrates that a little knowledge is a dangerous thing.

You have 2 sorts of forms:

1) GET forms, the form values are passed to the web server as part of the URL after a '?'.
You are recommended to use GET forms where the form is idempotent - ie always returns
the same answer no matter how many times you submit it, eg looking up a train time table[**].

2) POST forms, the form values are passed up along with cookies & other values.
You are recommended to use POST forms for where things change or an action takes
place - eg booking a theatre ticket; with something like this you might not want
to sumbit the form twice (and end up with 2 lots of tickets), so most browsers
will pop up a "do you want to resubmit POST form data" warning if you refresh
(resubmit) one of these forms.

So:

a) with POST forms there is a risk if the form is sumbitted twice. I would not call
it a "security risk", but you may indeed end up with something that is not wanted.

b) The message is displayed by the browser, there is nothing that the web site can do
about it if the user hits the back button & resubmits.

c) If the result of submitting a POST form twice could be undesirable, then good web
sites will check for this and refuse to accept the form twice & tell the user or
something like that. Many web sites don't check for double submission of POST forms.

> I've done a quick search on google which returned very little however i
> found a site that suggested a processing script that put all post variables
> into a session and then redirected to the main script, which i have now
> done.

Errm: why would you want to do that ? How does that make your web site more secure ?

> First of all does anyone know if this is really a risk and if so would the
> above solution have eliminated that risk?


[**] OK, we do live in the UK, so maybe that wasn't the best choice of example.

--
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
#include



Messages by Day
May 31st 2007
May 30th 2007
May 29th 2007
May 28th 2007
May 27th 2007
May 26th 2007
May 25th 2007
May 24th 2007
May 23rd 2007
May 22nd 2007
May 21st 2007
May 20th 2007
May 19th 2007
May 18th 2007
May 17th 2007
May 16th 2007
May 15th 2007
May 14th 2007
May 13th 2007
May 12th 2007
May 11th 2007
May 10th 2007
May 9th 2007
May 8th 2007
May 7th 2007
May 6th 2007
May 5th 2007
May 4th 2007
May 3rd 2007
May 2nd 2007
May 1st 2007


Messages by Month
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000