On Fri, Mar 04, 2005 at 11:00:24 -0600,
Ross Gohlke <ross@grinz.com> wrote:
> > > I'm not sure I understand. How could a user send incorrect data types
> if
> > > the types are included as hidden fields? Since the variables are
> declared as coming from $_POST, they cannot send anything in the URL.
> >
> > Nothing stops anyone from copying the "View Source" of a webpage to a
> local file, modifying it as they wish, and then pointing their web
> browser at the local file and submitting from that.
In fact I have actually done that a few times. Though usually to get
around javascript limitations rather than mess with hidden fields.
> OK, fair enough. In fact, the hidden fieldtypes in the form are
> unnecessary in addition to being unsafe. But you still have the correct
> fieldtypes in the array you initially derived from your call, so you can
> still prevent any funny business such as mentioned above.
That is pretty much my suggestion. You want to get the data from the server
side.
A key rule for security in client-server applications is to never trust
anything done by the client. (You can have the client do some calculations
on its end to save needlessly bothering the server. You just can't trust
those calculations when data is passed to the server.)