| how to protect your input hidden html |
[eluser]tusukgigi[/eluser]
how do you protect the input type hidden html? please explain here, please.... thanks gan..
[eluser]tusukgigi[/eluser]
like this views : <form> ... <input type hidden name="post_id" value="$lists['id']" /> ... </form> (CSRF ATTACK) I've heard using flash session data how to create it thanks gan
[eluser]Corbee[/eluser]
You'll need to validate it during the $_POST process and check if it is the input you expected or not. Try Regex or XSS filtering
[eluser]Corbee[/eluser]
Are you building a forum? I think that attack is more likely used for forums
[eluser]tusukgigi[/eluser]
what if the user saves the page the form on the local hard drive, then the user change the input type hidden html. with the assumption that the form does not use the captcha image. more often we hear the name of CSRF attacks
[eluser]Corbee[/eluser]
Correct me if I'm wrong, but I think it is dependent on XSS, so if you do an XSS filtering, you'll most likely be alright. Check this http://ellislab.com/codeigniter/user-gui...input.html for more info about XSS
[eluser]bl00dshooter[/eluser]
Post_id...Tell me watcha doin', and we can probably find a better way then using hiddens.
[eluser]Corbee[/eluser]
Yes, session will also prevent XSS, http://ellislab.com/codeigniter/user-gui...sions.html
[eluser]tusukgigi[/eluser]
for example I have this page nick updates: <form action"http://www.example.com?action=vuln" method="post"> USERNAME: <input type="text" name="username" value="$lists['username'] "/> <input type="hidden" name="post_id" value="$lists['id'] /> <input type="submit" name="submit" value="submit" /> </ Form> how to check that this form will not be saved by the user and the user changes the value of this hidden thanks gan |
| Welcome Guest, Not a member yet? Register Sign In |
