Changing POST data?

I've been reading up on PHP lately and Validation of user input is a common topic for obvious reasons. I'm not really into the hacking scene, or doing anything malicious but out of curiosity I don't understand how a malicious user would be able to change POST information. To clarify, here's an excerpt out of the book I'm reading:

If a user can enter his or her state free form, then you have exposed yourself to getting sates like

  • New Yrok (Typo)
  • Lalala (intentionally obscured)

A common tactic used to address this is to use drop down option boxes to provide users a choice of state. This only solves half the problem, though: You've prevented people from accidentally entering an incorrect state, but it offers no protection from someone maliciously altering their POST data to pass in a non-existent option. - "Advanced PHP Programming by George Schlossnagle"

How would one even go about doing this, I understand why to prevent this, but it seems backwards in my logic to prevent something that I don't fully understand.

Thanks

Answers


You can not assume that the processtheform.php will only get posted data from yourform.html. If they create their own html form on their own system (or anywhere else) they could use that to post to your processtheform.php code.

If processtheform.php took say a username (email address) which was hidden in the form and used it for sending that person an email then a hacker could potentially change that information and have your program send people spam.

Basically you can not depend on front end script on yourform.html to make certain the data is clean and sent as it should be. processtheform.php needs to check and clean the data even if your front end code already does it.

Only advantage to the front end cleaning is it keeps the user on the same page and allows him to enter in correct data before submitting - if that is not done on the front end the user may need to re-enter all his info.


Need Your Help

In Javascript is setTimeout blocking when embedded in a group of promises?

javascript node.js promise settimeout

I have a function func that is largely composed of a number of promises, five promises in all. In the third promise I have a very long setTimeout that could last as long as 3 days. If func is called

In MongoDB, how do I query for something similar to Twitter?

mysql database mongodb nosql

Suppose I follow users 4, 7, 10, and 20. How can I query that in Mongo?

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.