Re: Preventing changes on the

Although it is simply adding another layer to your existing Security by Obscurity (and therefore not the entire solution to your problem), you might at least consider accepting only POST-type requests in your script. That is, instead of accessing the script by this hyperlink URL:

http://www.foo.com/cgi-bin/foo.pl?user=foolish&id=2

you use a form with all hidden fields and a button (which may be a bitmap):

<FORM METHOD=POST>
<INPUT TYPE=HIDDEN NAME='user' VALUE='foolish'>
<INPUT TYPE=HIDDEN NAME='id' VALUE='2'>
<!-- use THIS: -->
<INPUT TYPE=SUBMIT VALUE='Button Title'>
<!-- OR THIS: -->
<INPUT TYPE=IMAGE SRC='/images/button_img.jpg' onClick='submit()'>
</FORM>
[download]

Update: This won't prevent users from seeing what parameters your script takes (and their values), but rejecting GET requests will at least make it harder to fake them.

dmm

If you GIVE a man a fish you feed him for a day
But, TEACH him to fish and you feed him for a lifetime

Comment on Re: Preventing changes on the Select or Download Code

Replies are listed 'Best First'.
Re: Re: Preventing changes on the by seattlejohn (Deacon) on Feb 18, 2002 at 22:27 UTC
POSTs are still quite easy to fake. True, you can't simply edit the URL in the browser address bar, but all you have to do is save the HTML page, edit the value of the hidden field, view the resulting page locally, and hit Submit. Further authentication is really a necessity in a scenario like this.	[reply]
Re(3): Preventing changes on the by dmmiller2k (Chaplain) on Feb 19, 2002 at 02:35 UTC
This is true. I did not intend to suggest that this (and this alone) was a solution to the problem, but it makes it that much more difficult to accomplish (weeding out the "casual" spoofers, as it were). I agree that other security measures are also necessary; for instance, also incorporating HTTP_REFERRER checks and using session cookies, etc.	[reply]