posting form info to a page

Discussion in 'Computer Security' started by cosmic foo, Jul 19, 2005.

  1. cosmic foo

    cosmic foo Guest

    Would i be correct to assume that anything
    can be posted, it's up to the receiving page
    to deal with what it receives?
    So one may as well assume that a hacker
    can figure out what a page expects or
    doesn't expect to receive, and post
    whatever they feel like trying.
    So it would be incorrect to assume that
    just because someone cannot get to a page,
    that they cannot post to the page that it posts to.
    So it's important to put as much security as
    possible into the page being posted to, and
    thinking that hidden form fields are actually
    hiding anything is a mistake, and creating any
    sort of generic post page that updates records
    in a database may be impossible to secure.
    At the very least, one should verify that the
    current user has the right to update a particular
    record in a particular table, and then one
    might want to keep an audit trail, as well as
    take some measure to inhibit page scraping.
    Any thoughts??
     
    cosmic foo, Jul 19, 2005
    #1
    1. Advertising

  2. cosmic foo

    SJ Guest

    cosmic foo wrote:
    > Would i be correct to assume that anything
    > can be posted, it's up to the receiving page
    > to deal with what it receives?
    > So one may as well assume that a hacker
    > can figure out what a page expects or
    > doesn't expect to receive, and post
    > whatever they feel like trying.
    > So it would be incorrect to assume that
    > just because someone cannot get to a page,
    > that they cannot post to the page that it posts to.
    > So it's important to put as much security as
    > possible into the page being posted to, and
    > thinking that hidden form fields are actually
    > hiding anything is a mistake, and creating any
    > sort of generic post page that updates records
    > in a database may be impossible to secure.


    I disagree. Every server-side application/script
    must sanitize and validate its input. All variables.
    It should check the input is syntactically correct
    (eg. only numbers) and it has a correct meaning
    (eg. a valid email address).

    Additionally you may authenticate users before
    submitting data to your database, thus you may
    track your rude users down.

    SJ
     
    SJ, Jul 20, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    7
    Views:
    1,145
    Wyatt M. Portendt
    Mar 4, 2004
  2. scaredkitty

    Top Posting vs. Bottom Posting

    scaredkitty, Apr 5, 2005, in forum: Computer Support
    Replies:
    37
    Views:
    1,413
  3. Colin D

    CROSS-POSTING, OR MULTI-POSTING, OR NEITHER?

    Colin D, Feb 28, 2006, in forum: Digital Photography
    Replies:
    56
    Views:
    1,714
    rcyoung
    Mar 8, 2006
  4. Wayne Wastier

    [OT] : Top Posting vs Bottom Posting

    Wayne Wastier, Jul 17, 2005, in forum: Windows 64bit
    Replies:
    7
    Views:
    778
    Al Swearengen
    Jul 17, 2005
  5. chintan
    Replies:
    0
    Views:
    1,782
    chintan
    Dec 19, 2007
Loading...

Share This Page