I've got three main questions:

1) Can $_POST be sent from domains other than the one the site is hosted on? I'm guessing "YES" so I'll need to make sure the person posting is a valid user by getting them to send a username and pwrd with the post? Because otherwise my PHP reads:

$title=$_POST['title'];
$cat=$_POST['cat'];
$content=$_POST['content'];

Which is sent from a form only accessible by admin but if anyone could create a similar form which posts to the correct url they could bypass this correct?

So something like this would be needed?

$user=$_POST['user'];
$pwrd=$_POST['pwrd'];
$title=$_POST['title'];
$cat=$_POST['cat'];
$content=$_POST['content'];
//Pseudo
if user == dbuser and pwrd==dbpwrd
THEN
Continue

2) My logging in system is gonna be using md5 hashed cookies.

Basically, there's a mysql table of users and passwords(md5) and the user logs in, this is checked against the table, if they exist, logs them in and creates a cookie containing the user/pwrd(md5). This cookie is then used to check if they're logged in when navigating the site. The cookie expires after a set time.

Anything majorly wrong there? Obviously nothing is 100% secure.

3) I'm correct in thinking that variables not associated with GET or POST cannot be changed externally in any way?

-------

I've made sure to filter all foreign data etc. to make sure people can't enter crazy javascript or anything.

Anything else I need to consider? Any pointers are very welcome.

Thanks

[edited by: coopster at 12:23 am (utc) on Oct. 17, 2005]
[edit reason] removed url per TOS [webmasterworld.com] [/edit]