Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    May 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Beginner trying to write secure code

    Hello,

    I have recently begun to learn PHP and have written some simple programs to interact with databases and such, I am a beginner to PHP.

    There are many good resources helping me to learn PHP but one thing that seems fundamental does not seem to be touched on much at all and it is driving me crazy. I am talking about forms and ways of transferring data to PHP.

    I am familiar with HTML forms and using POST however this drives me insane because the name of the file that the HTML form is sending to is sitting out for anyone to see in the forms action attribute.

    How can I get information using html or javascript and send it to a PHP file without the name of the php destination file being out in the open for anyone who wants to 'view source' ?

  • #2
    Regular Coder Iszak's Avatar
    Join Date
    Jun 2007
    Location
    Perth, Western Australia
    Posts
    332
    Thanks
    2
    Thanked 58 Times in 57 Posts
    Well you could write some JavaScript to make an AJAX call to a PHP page with the collected data from the form as well but just like the action problem people could look at the JavaScript and find out what page you're sending it to. I wouldn't worry about people knowing your action page, you could if you want use mod_rewrite to 'mask' the true page so instead of form.php it'd be like /page/form and you could redirect that to a folder such as scripts/form.php so they'll never know. But like I said, I wouldn't worry.

  • #3
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,862
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    If your server side page is secure (able to prevent all sorts of unauthenticated/XSS/Injection attacks) then you don't have to worry. Or in other words, validate all kind of external data from users (via GET/POST), before using them in your queries/statements or echoing on your pages.
    Last edited by abduraooft; 05-04-2009 at 08:09 AM.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #4
    New to the CF scene
    Join Date
    May 2009
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs up

    Sounds like I am being a little too paranoid. I am familiar with linux and not worried about an insecure server. It sounds like I should let it all hang out and just make sure I have a tight lock on input and output to stay safe.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •