{"id":1434,"date":"2018-01-19T19:22:50","date_gmt":"2018-01-19T19:22:50","guid":{"rendered":"http:\/\/goofy-trucks.flywheelsites.com\/check-data-page-4\/"},"modified":"2018-01-19T19:24:47","modified_gmt":"2018-01-19T19:24:47","slug":"check-data-page-4","status":"publish","type":"post","link":"https:\/\/phpbuilder.com\/check-data-page-4\/","title":{"rendered":"Check Data Page 4"},"content":{"rendered":"
\n
\n
By Spencer P<\/div>\n
on November 3, 2000<\/div>\n<\/p><\/div>\n
\n

How To Access Your Data<\/h2>\n
\nNow all your code is cross-script proof and saving proper data.
\nTime to make your site public, right? This is another time where you
\nshould think twice. For example, your customers are logging into your site to use
\nyour two-click purchase (patent pending) fork-in-a-box (patent pending)
\ne-commerce site. You do one of these for a front page:<\/div>\n
\n<form method=”get” action=”account.php”>
\nID: <input type=”text” name=”id”>
\nPassword: <input type=”password” name=”password”>
\n<\/form>\n<\/div>\n
\nSee the first problem? To submit to your account page, a URL is
\nconstructed to pass the variables, like so:<\/div>\n
\n<http:\/\/www.forkinabox.com\/account.php?id=me&password=ilikecheese>\n<\/div>\n
\nIn the worst case scenario, the password is sent in plain text, saved
\nin the browser’s history, sent to a proxy and saved in the proxy log,
\nand<\/i> saved in the webserver’s access log. Using the POST method
\nmakes things a little (not much) more secure, but someone who is
\npersistent enough can even fake a form using the POST method.<\/div>\n
\nSince we are using the GET method to get the variables into PHP in the
\nprior example, anyone can try an infinite number of IDs and passwords.
\n(Microsoft suffered this one with their passport system a while back.)
\nInstead of GET, use $HTTP_POST_VARS[] for information that is vital for
\naccess or needs to be secure for other reasons. The rest of the time
\nyou can use the GET method — most of the time a search term doesn’t
\nhave to be kept secret.<\/div>\n
\nSince it is possible for someone in the network to be sniffing for
\nclear-text (non-encrypted) data, using https (SSL) will encrypt the remaining data to make
\nit more secure. It is possible to break this kind of
\nencryption, but at present it takes someone with a lot<\/i> of
\ncomputing power to decrypt your data and fake input to your forms. [Insert
\nyour favorite conspiracy theory here.]<\/div>\n
\nBut let’s say that we want to be slick and bypass PHP. (That’s the
\nreason why we’re writing bad code, no?) Checking with JavaScript for
\nvalid input or even a valid user and password has been done. But then what
\nhappens when I turn off JavaScript?<\/div>\n
\nDon’t depend on JavaScript for anything more important than user
\nconvenience. You can cache data with it, make pretty things with it, use it to do
\nfast checks for invalid data, but don’t depend on JavaScript to get
\nproper input to your server.<\/i> As soon as the user turns it off,
\nyour authentication and data checking are out the door. You can
\nspeed up the data checking and shave some processing time off the server,
\nbut, users can turn it off. I know I do!<\/div>\n
\nThis article may be in three parts, but it has one point in mind:
\nNever trust anything that you don’t have control over. Don’t trust the
\ninput to your functions, the data used to generate pages, nor the
\nnetwork. This means check your input when it comes in, clean the input for
\nfurther use, and access it in a sane (and maybe even secure) fashion.
\nThe more authority you take, the less chance the user can be malicious.<\/div>\n
\n— Spencer<\/div>\n

<\/div>\n

<\/p>\n

\n
\u00ab Previous Page<\/a><\/div>\n
1<\/a> <\/div>\n
| <\/div>\n
2<\/a> <\/div>\n
| <\/div>\n
3<\/a> <\/div>\n
| <\/div>\n
4<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

By Spencer P on November 3, 2000 How To Access Your Data Now all your code is cross-script proof and saving proper data. Time to make your site public, right? This is another time where you should think twice. For example, your customers are logging into your site to use… <\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1434","post","type-post","status-publish","format-standard","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/comments?post=1434"}],"version-history":[{"count":1,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1434\/revisions"}],"predecessor-version":[{"id":3292,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1434\/revisions\/3292"}],"wp:attachment":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/media?parent=1434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/categories?post=1434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/tags?post=1434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}