NYCPHP Meetup

NYPHP.org

Forms & Refresh Question & General Form Security

Erik Baker gypsyfella at earthlink.net
Wed May 14 08:37:08 EDT 2003


Hey All,

I wanted to start by saying how useful I find these mailing lists.  Although this is the first time that I'm submitting a question, I have found following the threads from other people's questions very valuable as I move into becoming an intermediate PHPer.

That said, I have a question regarding forms and protecting them against browser refreshes.  I have written a PHP program that emails a user's password to their registered email address upon request.  The main program looks like this:

	//HARVEST VARIABLES
	$query_msg = $_POST['query_msg'];
	$login = $_POST['login'];
	$email = $_POST['email'];
	
	//MAIN
	if (!empty($query_msg) && $query_msg != 'Password Found') { #Skip MySQL query first time form is called & after password found
		GetData();
	}

	$query_msg != 'Password Found' # Leave form only when successful
		? ShowForm() # Display the form
		: ShowSuccess($login,$email); # Show Success

~GetData() goes to a MySQL database and sets the global variable $query_msg equal to 'Password Found' if a query on their login name or email matches, and then sends an email to their address with their password.
~ShowForm() sets up an HTML form with either login or email passed (user's submission choice) and sends along $query_msg with it as a hidden input type.
~ShowSuccess() is a general message that displays when the password is found.

The problem is that someone could tinker around to find a valid user name, then keep hitting refresh and send dozens (or more) emails to that user.  GetData() is not skipped because a refresh brings back $query_msg from $_POST (which is the previous value of $query_msg) and not the global variable value of 'Password Found'.

Is there a way to set the variable directly in $_POST so that it will pass back the a newer value upon refresh?  Or is there a way to have the program call itself again and pass new POSTed variables?

***I realized setting this form up that there are probably a dozen other ways a malicious user could try to break any form.  Does there exist anywhere a "Safest Form Practices" document?  I'm sure there are other security issues that I'm not aware of that need to be guarded against.

Any help would be greatly appreciated.

Thanks,

Erik



More information about the talk mailing list