Love learning from you guys!
Just frustrated because I can never get v2.0 done, because either I or someone else finds some fault in something I've done.
When does it end?!
I thought this would be a super quick thread. ("Looks good, Debbie")
I see this topic draining yet another week out of my life...
Back on topic...
Some things you should know...
Every PHP script I have follows this format: PHP at top, HTML below
All of my Forms are submitted back to themselves.
I sanitize all Form Data using PHP before processing
I think I use pretty rigorous Data Validation often checking Form Data against my Database
I only use Prepared Statements
All Forms will be loaded and submitted over HTTPS
I will likely make 100% of my website HTTPS
<form id="createAccount" action="" method="post">
If anyone sees this as insecure, please explain why!
And, better, offer a more secure alternative.
Based on my research, what I have above is fine.
As far as $SERVER['PHPSELF'], you are correct that it is not inherently bad.
But, of course, it would just echo whatever was sent, so if someone appended nefarious strings to the end of the Form, then I believe that would be carried over back to my self-submitted Form.
As far as the links, I am slightly familiar with their existence, but am wondering if that isn't all tangential based on what I have described above?
I have wanted to incorporate the Form Token thingy, but that is just more work that adds to my never ending SCOPE CREEP...
And at some point I either have to decide to stay in "Perpetual Development Mode" or "Get On with It!!" and go live.
(It's a fine balance, but I feel I have already done soooo many good, security-based things that I have to question if I need more for v2.0?!) :-/