[h0ly lag]

I know there are already tons of PHP forums available, but this is just a proof of concept for myself I suppose. So the problem I have is when a user goes to post a reply to a thread, I have an invisible input which post the thread ID to the page I have which enters the reply into the database. The actually problem being that the POST field can be easily manipulated allowing the user to change what thread he/she were actually replying to. Now, with that being said. I could check right before the data is going to be entered if the user has permission to post/read/view that thread or category.

There has to be a better way to do this. How can I retain the thread ID that they're replying too?

[allworknoplay]

You know, I've read something about this with a possible solution, I can't recall right now what it was though. Hopefully someone else can chime in....

I'm sure there's a pretty easy solution....

[Village Idiot]

Always validate ANY sort of input. vB passes the thread number via GET data, it is still safe because you validate it. Validation would consist of you checking in the database if that user (who should also be authenticated) is indeed the owner of the post.

The rule of thumb is that if it is data from the client side, assume its hostile.

[Wildhoney]

I suppose the first question that springs to mind is why would anybody want to alter the POST ID of the thread they're replying to?

Of course, if they wanted to post a nonsensical response in a random thread, they'd navigate to that thread and post. So as long as you're checking if they have permission to post in that thread, and the thread is valid, where does the problem arise? And what does the so-called master hacker achieve?

[h0ly lag]

Of course, rule number one. Never trust user input. :)

So maybe something like this:
/reply.php?t=56

And all that 't' GET variable would be is the thread ID.

I guess just keep it simple. Just verify and filter the GET var and go with it. Yeah?

EDIT: After read Wildhoney's post, is it more advantageous to use GET or the hidden input field like I currently am? Does it even matter?

[allworknoplay]

Quote:

Originally Posted by h0ly lag

Of course, rule number one. Never trust user input. :)

So maybe something like this:
/reply.php?t=56

And all that 't' GET variable would be is the thread ID.

I guess just keep it simple. Just verify and filter the GET var and go with it. Yeah?

EDIT: After read Wildhoney's post, is it more advantageous to use GET or the hidden input field like I currently am? Does it even matter?

I'm not sure it really matters all that much....

[Wildhoney]

Nor me. Don't trust the content.

So as long as:

• It's an integer;
• It's a valid thread;
• User has permission to post in the valid thread

[h0ly lag]

Sounds good to me. Oh and is the is_numeric() function sufficient for this?

[Village Idiot]

Quote:

Originally Posted by h0ly lag

Sounds good to me. Oh and is the is_numeric() function sufficient for this?

Yes


(10 char requirement).

[allworknoplay]

Quote:

Originally Posted by h0ly lag

Sounds good to me. Oh and is the is_numeric() function sufficient for this?

Yeah that should work.

[Wildhoney]

There are ways to also attempt to force an integer. Such as if somebody put in 24a then you could, for instance, typecast that value using (int) and it'd become 24.

However, I wouldn't even bother attempting to purify it. If it's anything other than a number, I would assume they've been fiddling and deny the post.

php Code:

$iNumber = (int) '24a';
var_dump(is_numeric($iNumber)); // True 
 

[allworknoplay]

Quote:

Originally Posted by Wildhoney

There are ways to also attempt to force an integer. Such as if somebody put in 24a then you could, for instance, typecast that value using (int) and it'd become 24.

However, I wouldn't even bother attempting to purify it. If it's anything other than a number, I would assume they've been fiddling and deny the post.

php Code:

$iNumber = (int) '24a';
var_dump(is_numeric($iNumber)); // True 
 

1) Shouldn't you be sleeping?


2)I thought var_dump and print_r were used for arrays? I guess you can use it for other things too?

[Orc]

Quote:

Originally Posted by allworknoplay

1) Shouldn't you be sleeping?


2)I thought var_dump and print_r were used for arrays? I guess you can use it for other things too?

Mhm, I do it all the time with other data types.

[Wildhoney]

Sleeping? Yes, I should!

As for the var_dump. Nooo, I think that is for all data types. Well, that's what I use it for, anyway. I don't use it for arrays though, nor objects. For arrays I use print_r.