NYCPHP Meetup

[Mark Armendariz]

What if you set up your form processor to redirect to either the form or
success?  The browser would never actaully see the form processor
script, and therefore a refresh wouldn't do anything.

As far as limiting password emails, could you possibly put a pass_sent
(datetime) field in the user's table and only send if the pass_sent is a
half hour old or older?

Mark


-----Original Message-----
From: Erik Baker [mailto:gypsyfella at earthlink.net] 
Sent: Wednesday, May 14, 2003 11:30 AM
To: NYPHP Talk
Subject: [nycphp-talk] Forms & Refresh Question & General Form Security


Hey All,

I wanted to start by saying how useful I find these mailing lists.
Although this is the first time that I'm submitting a question, I have
found following the threads from other people's questions very valuable
as I move into becoming an intermediate PHPer.

That said, I have a question regarding forms and protecting them against
browser refreshes.  I have written a PHP program that emails a user's
password to their registered email address upon request.  The main
program looks like this:

	//HARVEST VARIABLES
	$query_msg = $_POST['query_msg'];
	$login = $_POST['login'];
	$email = $_POST['email'];
	
	//MAIN
	if (!empty($query_msg) && $query_msg != 'Password Found') {
#Skip MySQL query first time form is called & after password found
		GetData();
	}

	$query_msg != 'Password Found' # Leave form only when successful
		? ShowForm() # Display the form
		: ShowSuccess($login,$email); # Show Success

~GetData() goes to a MySQL database and sets the global variable
$query_msg equal to 'Password Found' if a query on their login name or
email matches, and then sends an email to their address with their
password.
~ShowForm() sets up an HTML form with either login or email passed
(user's submission choice) and sends along $query_msg with it as a
hidden input type.
~ShowSuccess() is a general message that displays when the password is
found.

The problem is that someone could tinker around to find a valid user
name, then keep hitting refresh and send dozens (or more) emails to that
user.  GetData() is not skipped because a refresh brings back $query_msg
from $_POST (which is the previous value of $query_msg) and not the
global variable value of 'Password Found'.

Is there a way to set the variable directly in $_POST so that it will
pass back the a newer value upon refresh?  Or is there a way to have the
program call itself again and pass new POSTed variables?

***I realized setting this form up that there are probably a dozen other
ways a malicious user could try to break any form.  Does there exist
anywhere a "Safest Form Practices" document?  I'm sure there are other
security issues that I'm not aware of that need to be guarded against.

Any help would be greatly appreciated.

Thanks,

Erik


--- Unsubscribe at http://nyphp.org/list/ ---