perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thanos Chatziathanassiou <tcha...@arx.net>
Subject Re: Form Problem.
Date Fri, 18 Jul 2003 15:10:36 GMT
You can try (by personal order of preference):
a) setting something completely random in the $Session object in the 
form's page and checking for its existence in the verify.asp. If it 
isn't there, reject the data.
b) check the HTTP_REFERER and reject if it's not the one You're 
expecting (the page the form is in)
c) using POST instead of GET, so as not to worry about the amount of 
user input (and making it a little more complicated to ``fabricate'' a 
request by hand).
d) obfuscating the form input, so as not to make it so obvious.
e) accepting form input only from trusted sources (ie registered and/or 
authenticated users).
f) IP address restriction (kinda like defeats the purpose of the web, 
don't it ?)
g) any combination of the above.

A sufficiently motivated ``bad guy'' will most definately find ways to 
overcome all the above methods, especially if it's worth the trouble. YMMV.
That's all I can think of right now. I'm sure others will contribute 
their favourite methods too. Maybe we can compile an exhaustive list of 
those (should we?).

Regards,
Thanos Chatziathanassiou


pkunal wrote:

>All,
>
>The situation is this.
>
>On my web page "products.asp" I am displaying all the products from 
>my database and allow the user to select the quantity he wants to 
>buy.
>
>So to make it short:
>"$itemCode" comes after a query to the database for each item in 
>database. The form looks like this:
>
><form action="/asp/verify.asp">
><select name="Qty_<%=$itemCode%>">
><option selected>0</option>
><option>1</option>
><option>2</option>
><option>3</option>
></select>
><input type="submit" name="SUBMIT">
></form>
>
>So the quantity is passed to "verify.asp" through the querystring 
>and looks like this:
>http://....../verify.asp?Qty_1=1&Qty_2=3....
>
>The query string gets long depending on the number of products I 
>have. Then I again retrieve the "itemcode" and its 
>selected "quantity" on the "verify.asp" page using "$Request-
>  
>
>>QueryString()" object.
>>    
>>
>
>I am not happy with this solution. As it makes the website 
>vulnerable as a user can input anything in the 
>querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....".
>
>Please suggest a good way to do this.
>
>Thanks,
>Kunal Parekh.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
>For additional commands, e-mail: asp-help@perl.apache.org
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org


Mime
View raw message