| Have I made form function secure enough |
|
You are not validating the value of $_GET['banner_form_id'], you only check if it exists. Based on the name of the variable I would guess it would represents an integer based id. Eventhough GET variables are filtered by the config (default value: $config['permitted_uri_chars'] = 'a-z0-9~%.:_\-'
 and your code does not represents any harmful processing (although a bit over-complexing solution to a simple situation).I would suggest some small modification like: PHP Code: $banner_form_id = intval( $this->input->get('banner_form_id')); About your CSRF question. Genaraly there are few reasons why you should not use it although the impact of a succesfull CSRF attack depends on what functionality the form has and the role of the current user. For more details I would refer you to: https://www.owasp.org/index.php/Cross-Si...heat_Sheet |
| Messages In This Thread |
|
Have I made form function secure enough - by wolfgang1983 - 04-02-2016, 08:36 PM
RE: Have I made form function secure enough - by albertleao - 04-02-2016, 10:39 PM
RE: Have I made form function secure enough - by Diederik - 04-02-2016, 10:40 PM
RE: Have I made form function secure enough - by Tpojka - 04-03-2016, 06:30 AM
|
