Re: How 2 pass a hidden field string in html form to a php script

Tru7nk wrote:
J.O. Aho:

You should make it better, resend the user to the form, telling why.

Get you point, but actually I am using that one to prevent that someone
does execute the script remotely.
This might prevent that an empy form being sent to the hard-coded
recipient of the form.

If you want to prevent the user from execute the script remotely, I think the
best is to use session, as that is a lot harder to fake than a hidden field,
which will most likely be known by the one who wants to run it remotely, and
the less randomness in your hidden field the easier it will be to make remote
submissions.
Don't think that the session will be a fool proof protection, you can still
fetch a session, rebuild the form data and submit and it would still look as
if it was the original form you sent.
You can add a 'HTTP_REFERER' check, but that can be both faked and a
legitimate user who has this feature disable in the browser.

But you know there are tons of microsoft users around the world, you never
know what they may do when they try to fill a form, if not the default browser
don't mess things up, the user will enter a text string in a field dedicated
for integers, so it's always good to throw the user back and tell what stupid
thing they did. Taking care of the hack attempts in the same way will be good,
as you have a good way to test that your protection do work.

--

//Aho
.

Relevant Pages

  • Re: How to end a session when the user closes the browser?
    ... I don't want to depend on the session timeout factor since ... > that fires when the browser closes. ... > Global.asax does not execute until the timeout value expires. ... > Can anybody tell me the server side sequence of events and their handlers ...
    (microsoft.public.dotnet.framework.aspnet)
  • How to end a session when the user closes the browser?
    ... I don't want to depend on the session timeout factor since it ... that fires when the browser closes. ... Global.asax does not execute until the timeout value expires. ... Can anybody tell me the server side sequence of events and their handlers ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Need help keeping track of users "online" (i.e. viewing the web si
    ... Session end doesn't happen when the browser closes, ... > Can anyone recommend a better solution for me, or tell me how to execute ... > updating my code to set a user offline if someone exits closing the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: check if javascript is disabled
    ... the other way is to use your solution in a page that execute and redirect to ... > by the browser, A possible workaround would be to have a hidden field whose ... > value is set from javascript, when you get the page back if that hidden ...
    (microsoft.public.dotnet.languages.csharp)
  • Application_End
    ... have some cleanup code there but it doesn't execute if I close my ... browser and am the last session. ...
    (microsoft.public.dotnet.framework.aspnet)