FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Validate Radio Buttons?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Validate Radio Buttons? [message #182397 is a reply to message #182386] Fri, 02 August 2013 23:51 Go to previous messageGo to previous message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma:
Senior Member
On 2013-08-01 9:25 PM, Christoph Michael Becker wrote:
> Jerry Stuckle wrote:
>
>> On 8/1/2013 5:16 PM, Twayne wrote:
>>> On 2013-07-31 3:07 PM, Jerry Stuckle wrote:
>>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>>> > Hi all,
>>>> >
>>>> > I was wondering what the general consensus might be on this:
>>>> >
>>>> > Should one Validate Radio Buttons for an online website contact form?
>>>> >
>>> ...

....

>
> To better understand potential exploits, you may start with RFC 2616,
> the specification of HTTP/1.1[1]. Then you may go along doing some
> simple telnet sessions, e.g.
>
> $ telnet example.com 80
> Trying 93.184.216.119...
> Connected to example.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: example.com
>
> HTTP/1.1 200 OK
> [...]
>
> You may augment your understanding of the HTTP protocol by inspecting
> the HTTP headers that are actually sent and received by a browser (for
> instance, Firefox has Tools->Live HTTP headers). You may reconstruct
> some requests done from the browser with telnet, where you may change
> some of the header fields, watching the results. A trivial example:
> create a file test.php and put it in the web root of your localhost:
>
> <?php
>
> echo $_SERVER['HTTP_HOST'];
>
> Then do:
>
> $ telnet localhost 80
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> GET /test.php HTTP/1.1
> Host: surprise
>
> HTTP/1.1 200 OK
> Date: Fri, 02 Aug 2013 01:13:23 GMT
> Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
> X-Powered-By: PHP/5.4.7
> Content-Length: 8
> Content-Type: text/html
>
> surprise
>
> Finally you may simplify and automate such requests by using cURL[2] or
> the PHP cURL extension[3], for example.
>
>> No problem at all. I just build a page on my site (or locally if I have
>> a web server installed) and have the form's action= point at the script
>> on your site. I can place anything I want on the page and it will be
>> sent to your script.
>>
>> There is nothing which requires input to your site to come from a form
>> on your site. It can come from anywhere - something hackers use to
>> their advantage.
>
> As Twayne is checking the referrer, you'd have to spoof that too. Of
> course that is no big deal either, but it should be noted.
>
> [1] <http://tools.ietf.org/html/rfc2616>
> [2] <http://curl.haxx.se/>
> [3] <http://php.net/manual/en/book.curl.php>
>


Hmm, good post Chris! I'll see where that takes me.

Thanks
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: sql order but move some rows bottom
Next Topic: OPcache in php5.5.1 on Windows
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 14:50:41 GMT 2024

Total time taken to generate the page: 0.04144 seconds