Stut wrote: > You could put a hash value into a hidden field on the form, and > also store it in the session. When the form is submitted only > accept it if the hashes match. > > However, this is very easy to get around, so I suggest you > consider why you think you need this level of checking. Assuming > you're properly validating and escaping all input coming from > outside the app, IMHO this type of "security" should not be needed.
It can useful when you want to verify intent, which is an important consideration these days: http://shiflett.org/articles/cross-site-request-forgeries (I have an update that I need to publish, but this should be enough to explain the potential problems this technique can help prevent.) Chris -- Chris Shiflett http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
