About your question about the hidden variables: They can be changed. If a user goes into their cache in IE they can actually change the page and go "back" to it. Then they can submit it with any info they want. A very good replacement for this is to use session variables. This stores the information on the server (away from the user) for the scripts.

If you don't want to do this I suggest when someone logs on to the website have it generate a key and use that in the hidden feild. Log this key into the DB then use that for authentication. Also add a Timestamp into the DB to allow for login timeouts.

--BigJoe

Learn patience, you must.
Young PerlMonk, craves Not these things.
Use the source Luke.

In reply to Re: CGI Security by BigJoe
in thread CGI Security by ant

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.