Re: Form Design Advice - Mailing list pgsql-novice

From Mike Ellsworth
Subject Re: Form Design Advice
Date
Msg-id 4228A32D.5080202@rochester.rr.com
Whole thread Raw
In response to Re: Form Design Advice  (<operationsengineer1@yahoo.com>)
List pgsql-novice
Thanks for all that have contributed to this thread.

It has been very helpful for an 'about to happen' project.

Mike Ellsworth




Bruno Wolff III wrote:
On Fri, Mar 04, 2005 at 11:00:24 -0600, Ross Gohlke <ross@grinz.com> wrote: 
 > I'm not sure I understand. How could a user send incorrect data types     
if   
 > the types are included as hidden fields? Since the variables are     
declared as coming from $_POST, they cannot send anything in the URL.   
Nothing stops anyone from copying the "View Source" of a webpage to a      
local file, modifying it as they wish, and then pointing their web 
browser at the local file and submitting from that.   
In fact I have actually done that a few times. Though usually to get
around javascript limitations rather than mess with hidden fields.
 
OK, fair enough. In fact, the hidden fieldtypes in the form are
unnecessary in addition to being unsafe. But you still have the correct 
fieldtypes in the array you initially derived from your call, so you can 
still prevent any funny business such as mentioned above.   
That is pretty much my suggestion. You want to get the data from the server
side.

A key rule for security in client-server applications is to never trust
anything done by the client. (You can have the client do some calculations
on its end to save needlessly bothering the server. You just can't trust
those calculations when data is passed to the server.)

---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
              http://archives.postgresql.org
 

pgsql-novice by date:

Previous
From: Bruno Wolff III
Date:
Subject: Re: Form Design Advice
Next
From: Kunal
Date:
Subject: undefined function: pg_connect()