NYCPHP Meetup

[Analysis & Solutions]

On Fri, Jul 19, 2002 at 11:36:07AM -0400, Edgar Reyes wrote:
> First of all you can download the HTML and do what ever you want with it,
> but unless you have FTP access to that server you will not be able to submit
> that page and even if you change the action on the form

"What we have here is a failure to communicate."  FTP has nothing to do
with this.  I'm not editing the script on the server.  I edit the HTML
form on my hard drive, view the form from my hard drive using my web
browser, enter the data into it, click on the submit button, an HTTP
connection is opened to the web server I got the form from, all of the
data I entered into my hacked form is sent over that HTTP connection and
passed to the target script on the your server, just as if I submitted the
form that was on your server.


> with in all my
> scripts I check where the page is coming from and if is not from my domain
> is not going to be executed.

While that's good, it's not fool proof.  I can throw an HTTP_REFERER into 
my request headers that contains the URI that you'd expect.


> Lets just face it there are many ways of doing
> things if you don't like to use JavaScript to save time and resources that's
> your purgative

Maintaining two validation code bases (client side and server side)  
doesn't save time.  And not maintaining server side validation is 
insecure, therefore it's not a way things should be done.

Enjoy,

--Dan

-- 
               PHP classes that make web design easier
        SQL Solution  |   Layout Solution   |  Form Solution
    sqlsolution.info  | layoutsolution.info |  formsolution.info
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7 Av #4AJ, Brooklyn NY     v: 718-854-0335     f: 718-854-0409