POST security with processing script

I have a page that allows you to submit an article which is then placed into a database, to get to the submit page you have to be logged in (it checks session), but the processing script itself for storing into the database does not check if they are logged in, it only takes POST data from the submit page. Is this process secure? Is it 开发者_如何学运维possible for someone to force post information into processing.php and even if they are not logged in and not using the submit.php page (the processing script doesn't check) and store information into the database via the processing script?

This is absolutely not secure. It is trivial to POST whatever data you want to wherever you want.

There are many tools for doing this. My favorite is Fiddler. One could also just make a page that posts data.

Bots post data all the time, looking for open mail relays.

This is not secure.

No, it's not secure. For instance, someone could fuzz your site, or guess and possible be correct without a lot of effort. Check the session on the processor.php page as well as any other page you intend to require a login for, and ALWAYS perform security measures on anything you insert into a database.

http://php.net/manual/en/function.mysql-real-escape-string.php

I would suggest using PHP Data Objects and doing prepared statements.

http://php.net/manual/en/book.pdo.php

http://www.php.net/manual/en/pdo.prepared-statements.php

That is possible as long as you don't check if they are logged in initially.

Your best bet is just to try yourself. I would suggest using Fiddler to send a post request via your processing.php link.