Forum Moderators: coopster
However, some of the users have reported that they are able to define their own arguments.
I'm just not sure exactly what they're doing, so I can't fix it.
My question to you guys:
What are they doing, exactly? Here are the details:
Page 1 contains three input forms, for:
'username'
'character'
'map'
'username' and 'character' are text input forms.
'map' is a drop-down list with the following values:
'100000000' (Option A)
'200000000' (Option B)
'220000000' (Option C)
'211000000' (Option D)
'103000000' (Option E)
Then there's a submit button.
This page is on '/submitdata.php'
When you click the submit button, it takes you to '/submitdata2.php' and accesses the selected value from '/submitdata.php'
SO, IN A NUTSHELL:
What is the URL to use to define your own Option X value?
Currently I've been trying:
'http://www.mydomain.com/submitdata2.php?username=a&character=b&map=c'
But that doesn't work, because those three arguments are defined on '/submitdata.php'
So what URL do I use if I want to enter a custom 'map' value that isn't on the drop down list?
Sorry if this is confusing, I'm not sure how to explain it.
Also what checking are you doing of user input? Are you checking for an alphabetic answer from a-e?
If you want to see the url's they have been using then have a look at your server logs. As you are using GET it will all be there for you to look at.
Also why use GET for that type of request? Do you want users to be able to bookmark that page and return to it? If not use POST as that is a bit harder for them to just make up there own answers.
Since I can't explain it to well either, here are the pages:
<snip>
First one you enter the information. Each item on the drop down list has a built in map value.
Then you hit submit and it runs teleportproccess.php with arguments you entered on teleport.php
'http://www.mydomain.com/submitdata2.php?username=a&character=b&map=u' doesn't work either.
[edited by: eelixduppy at 1:57 pm (utc) on June 10, 2008]
[edit reason] no personal URLs, please [/edit]
Just because they can define their own values doesn't mean that they are doing it through the URL queries. They can reconstruct your form, change the values, then submit it and it should do the same as long as you aren't checking for that. If your programmer wrote the script using $_POST instead of $_REQUEST then that's definitely what it is. If the latter, however, I would suggest that they be rewritten with $_POST.
As far as changing the values, if the values cannot be changed, then it should be programmed to not allow any other values than what are in the drop-down box. You must check the data that is submitted through a form for correctness before preprocessing it; this is a significant step is security.
As in your example you are looking for a-e as the map then you could use something like:
if ([url=http://uk3.php.net/manual/en/function.preg-match.php]preg_match[/url]('^[A-E]$', $_POST['map'])) {
// this is ok
}
else {
[url=http://uk3.php.net/manual/en/function.die.php]die[/url]('Go back and do it again...properly.');
}
if(preg_match("/^http:\/\/www\.example\.com(.*)$/i", $_SERVER['HTTP_REFERER']))
# this is from your site
Or something along those lines...
# Note: The referrer variable cannot always be trusted, so don't. While this solution will help get rid of people sending data from other places, it isn't 100% foolproof and has it's flaws.
