Skip site navigation (1) Skip section navigation (2)

Re: Form Design Advice

From: Mike Ellsworth <nhrcommu(at)rochester(dot)rr(dot)com>
To: pgsql-novice(at)postgresql(dot)org
Subject: Re: Form Design Advice
Date: 2005-03-04 18:04:29
Message-ID: 4228A32D.5080202@rochester.rr.com (view raw or flat)
Thread:
Lists: pgsql-novice
Thanks for all that have contributed to this thread.

It has been very helpful for an 'about to happen' project.

Mike Ellsworth




Bruno Wolff III wrote:

>On Fri, Mar 04, 2005 at 11:00:24 -0600,
>  Ross Gohlke <ross(at)grinz(dot)com> wrote:
>  
>
>>> > I'm not sure I understand. How could a user send incorrect data types
>>>      
>>>
>>if
>>    
>>
>>> > the types are included as hidden fields? Since the variables are
>>>      
>>>
>>declared as coming from $_POST, they cannot send anything in the URL.
>>    
>>
>>>Nothing stops anyone from copying the "View Source" of a webpage to a 
>>>      
>>>
>>local file, modifying it as they wish, and then pointing their web 
>>browser at the local file and submitting from that.
>>    
>>
>
>In fact I have actually done that a few times. Though usually to get
>around javascript limitations rather than mess with hidden fields.
>
>  
>
>>OK, fair enough. In fact, the hidden fieldtypes in the form are
>>unnecessary in addition to being unsafe. But you still have the correct 
>>fieldtypes in the array you initially derived from your call, so you can 
>>still prevent any funny business such as mentioned above.
>>    
>>
>
>That is pretty much my suggestion. You want to get the data from the server
>side.
>
>A key rule for security in client-server applications is to never trust
>anything done by the client. (You can have the client do some calculations
>on its end to save needlessly bothering the server. You just can't trust
>those calculations when data is passed to the server.)
>
>---------------------------(end of broadcast)---------------------------
>TIP 6: Have you searched our list archives?
>
>               http://archives.postgresql.org
>
>  
>

In response to

pgsql-novice by date

Next:From: KunalDate: 2005-03-04 19:04:39
Subject: undefined function: pg_connect()
Previous:From: Bruno Wolff IIIDate: 2005-03-04 18:01:48
Subject: Re: Form Design Advice

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group