View Full Version : Beginner trying to write secure code

05-03-2009, 11:50 AM

I have recently begun to learn PHP and have written some simple programs to interact with databases and such, I am a beginner to PHP.

There are many good resources helping me to learn PHP but one thing that seems fundamental does not seem to be touched on much at all and it is driving me crazy. I am talking about forms and ways of transferring data to PHP.

I am familiar with HTML forms and using POST however this drives me insane because the name of the file that the HTML form is sending to is sitting out for anyone to see in the forms action attribute.

How can I get information using html or javascript and send it to a PHP file without the name of the php destination file being out in the open for anyone who wants to 'view source' ?

05-03-2009, 12:00 PM
Well you could write some JavaScript to make an AJAX call to a PHP page with the collected data from the form as well but just like the action problem people could look at the JavaScript and find out what page you're sending it to. I wouldn't worry about people knowing your action page, you could if you want use mod_rewrite to 'mask' the true page so instead of form.php it'd be like /page/form and you could redirect that to a folder such as scripts/form.php so they'll never know. But like I said, I wouldn't worry.

05-03-2009, 12:28 PM
If your server side page is secure (able to prevent all sorts of unauthenticated/XSS (http://seancoates.com/archives/13-guid.html)/Injection (http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php) attacks) then you don't have to worry. Or in other words, validate all kind of external data from users (via GET/POST), before using them in your queries/statements or echoing on your pages.

05-03-2009, 12:58 PM
Sounds like I am being a little too paranoid. I am familiar with linux and not worried about an insecure server. It sounds like I should let it all hang out and just make sure I have a tight lock on input and output to stay safe.