开发者

PHP security forms _POST

I have a few questions about security using PHP, I dont want to use sessions so I am using POST to authenticate user from page to page, so:-

1) If I have a register form using method='POST' obviously I would need to filter out the data when its been sent to check if its valid and I also need SSL (https) on that page. Now just for register form which is very small ie name, email, password would filter checks and https be enough security just for this stage. I also have a captcha on register form to avoid spam.

2)Is it ok to send data like userid value like(ie 123456) in a hidden POST field so I can determine the user i开发者_开发知识库n database that is sending data, to avoid having to use sessions etc. Possibly send email address as well but nothing like passwords or very sensitive info. I would obviously check if the format is right for user id using regular expression ie if its x number of digits, same thing if posting email address. The reason I would send userid value and email address is so when user posts data in form after say register/login in they can fill out forms and I add a few hidden fields along with form to identify what user by using the email add and user id hidden value posted, they both have to be correct in mysql query otherwise error message, so even if tampered a hacker would have to guess right userid to email add. Also if the pages have ssl would this make be ok.

Hope this makes sense? Thanks


This is by definition insecure, hijacking a session would be as easy as changing the value of the hidden form. If you know the UserId of another user, changing it into that value would make your application think that person is logged in.

I'm not sure what your reasons are to not use sessions, you should definitely reconsider.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜