In this section I'll discuss methods you can use to protect data passed in HTML forms. Often when you're working with forms, it is necessary to pass data in the form of hidden input tags. For instance, let's assume that a form that you are working on requires that the user submits it back to the server within five minutes. Unless you are using sessions (discussed later in the book in , "Persistent Data Using Sessions and Cookies") the only method available to you is to create a hidden form element containing the time at which the form was created (see ):

Listing 5.2. Time-Sensitive Form Example

<FORM ACTION="process.php" METHOD=GET>
<INPUT TYPE="hidden" NAME="time" VALUE="<?php echo time(); ?>">
Enter your message (5 minute time limit):<INPUT TYPE="text" NAME="mytext" VALUE="">
<INPUT TYPE="submit" Value="Send Data">
</FORM>

When this form is submitted, the time can be checked by ensuring that the time hidden element is no more than 300 seconds (5 minutes) smaller than the current value returned by time():

if($_GET['time']+300 >= time()) {
     echo "You took too long!<BR>";
     exit;
}

The major flaw with this system is that there is no way to verify that the time element sent to the server was actually the same value that was originally sent when the form was created. When this form is submitted, in fact, the following is a sample URL that would be displayed in the user's browser:

This URL could be easily modified by the user to "turn back time" and make it look like the form was created two minutes earlier than it really was by adding 120 (60 * 2) seconds to the time URL parameter:

Tags: Add more tags...,

or Close

Comment an article   Name   E-mail    Title Available characters: 4000  Notify me of follow-up comments Enter what you see:

No comment posted