So i was wondering what type of method i should use so that no one could make a form on their website that could access my scripts,
right now i use $_REQUEST for everything, and $_GET if its something like
index.php?action=1
so i was wondering what i should use for forms and what i should use for anything else?
Thanks
Always use post whenever possible.
yeah. with get, people can hack it and stuff, but with post it is sent like sessions.
Makes perfect sense, but when should i ever use get? or request? or should i always use post?
I only use get for search functions.
I use get for password recovery activations. or to just use index.php.
simple stuff like that. otherwise, i would use post or sessions. even if php is server-sided, it can still get hacked.
so we as coders must try to stop it. haha.
Post data can be just as easily changed as data in a query string. It's in no way more 'secure' than putting data in a query string. $_REQUEST contains the same data as $_GET and $_POST, so it doesn't matter if you use $_REQUEST instead of $_GET and vice versa.
If I'm not writing a small application (like less than 4 source files), I don't bother with $_GET (or $_REQUEST) at all.
As for ensuring that only forms from your site are used to access your script. Check out the HTTP_REFERER although it's REALLY not that reliable. It's all up to the user's client. You really shouldn't worry about other sites having forms directed at your scripts, since there's not much vulnerability there.
Originally Posted by andrew951
Hack? No!
Well, thats not entirely true, you can only exploit an application if you fail to secure users input, which you should always assume to be unsafe.
If you don't secure it, your the one letting it be abused.
I always use the following to check data before inserting into the database or allowing the data to be output to the browser
eregi();
htmlspecialchars();
mysql_real_escape_string();
stripslashes();
strip_tags();
And a few others I can't think of right now.
Instead of eregi, it's faster to use preg_match ;)
Use regular expressions.
E.g. :
PHP Code:$id = preg_replace("/[^0-9]/","",$_GET['id']);
doesn't matter what u use.
$_GET give u a lot of stuff POST will never give. $_GET make navigation better since when u refresh it.. it will not give u that annoying popup.. requiring to send data again.
Urm, disable the window? It never appeared for me...ever.
FYI, GET and POST are the same, except in the way they are sent. GET goes via the request URL while POST has some more transparent way of reaching the server. There's no better or worse.
Reply With Quote![[PHP]Security](http://ragezone.com/hyper728.png)