'Boget, Chris' wrote:
>
> > Don't bother with checking the HTTP_REFERER - it can be easily forged.
> > There is a very simple solution to this problem -- validate the data from
> > the form!
> [snip]
> > You should be doing this anyway, since who knows what the user could
> > type in your input box. Nevermind if somebody makes a copy of your
> > form. Never never never trust the client.
>
> I'm already doing this. However, if I have a hidden variable containing
> a value of the current user I'm working with, that value can be changed
> to something else and it would pass the test. However, I need to find a
> way to determine if something like that has happened. That's where my
> description of what I was thinking of doing came from.
Well, anything you get back from the client will be as GET variables, I
think. So, if your forms only use POST variables, and you've turned on
track_vars, then you can get your variables through $HTTP_POST_VARS()
like $foo=$HTTP_POST_VARS('foo'); If I'm wrong on this, I'm sure
someone will let me know.
--
Curt Seeliger
OAO Corporation, EPA/WED contractor
541/754-4638
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
