SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Evangelist
    Join Date
    Jun 2005
    Posts
    436
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is this bad practice?

    I have been using this code for form handling, but I just don't feel 100% comfortable using it (probably because I thought of it). Each of my forms includes a hidden variable named postVal, its value is the form processing function that needs to be executed.

    PHP Code:
    if ($_POST['postVal'] != ""){
        
    $_POST['postVal']();

    (I have taken into account that variables can be posted from elsewhere besides me system)

    e39m5

  2. #2
    Grumpy Minimalist
    Join Date
    Jul 2006
    Location
    Ontario, Canada
    Posts
    424
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's fine as long as you feel comfortable with any user having full control over launching any function in your script.

  3. #3
    SitePoint Evangelist
    Join Date
    Jun 2005
    Posts
    436
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Again, I took that into account and have prevented any problems. They may get something that looks ugly, but that should be expected by someone whos trying to hack my software. And what is a good method for OO form handling?

    e39m5

  4. #4
    SitePoint Member
    Join Date
    Apr 2007
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    why not use switch? it can access any function user can guess..
    Web Directory - Free - no reciprocal - no email required

  5. #5
    SitePoint Evangelist nsj's Avatar
    Join Date
    Oct 2005
    Location
    Jamaica (W.I)
    Posts
    447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use $_SERVER['HTTP_REFERER'] for additional security eventhough it's not completely fool-proof.

    also using !isset($_GET['x']) is better than ($_GET['x'] != "")

  6. #6
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by e39m5 View Post
    They may get something that looks ugly, but that should be expected by someone whos trying to hack my software.
    It is not a question of ugliness, but of readability. If it looks bad, perhaps it is unreadable, and if is unreadable, it hinders nobody but perhaps your own code maintenance (after the code is complete and you vaguely remember any portion of it) and will not stop somebody hacking, also a lot of people would like some additional plug-ins (by third party developers) added, and if the code looks bad, they will not be happy.

    So give your forms readable names. And comment as much as possible

  7. #7
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's a serious security issue, you have there.

  8. #8
    SitePoint Member FizixSimon's Avatar
    Join Date
    Apr 2007
    Location
    Peterborough, UK
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    That's a serious security issue, you have there.
    deffinetly.

    What exactly is your software is it your building that made you want to use that method?

  9. #9
    SitePoint Wizard REMIYA's Avatar
    Join Date
    May 2005
    Posts
    1,351
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    That's a serious security issue, you have there.
    Yes. If it will be a security issue depends on the overall code. But it looks like there will be at some point due to negligence, being in a hurry, etc.

  10. #10
    SitePoint Evangelist
    Join Date
    Jun 2005
    Posts
    436
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To protect any core functions from being executed i used:
    PHP Code:
    if($_POST['postVal'] != "functionName"){


    i think its debatable which is "better" - this method or switch, but I think both do the same thing

    e39m5


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •