Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Avoiding Hacking....

Status
Not open for further replies.
perlone

perlone

Programmer
Joined
May 20, 2001
Messages
438
Location
US
Hi,

I'm running a game site and I want to make sure that the players get to certain areas by click through only the query strings. The url's are like this: user.cgi?email=$email&pass=$pass. I want to make sure that they just don't type the url in the browser and get in to the areas. This would also avoid some of the common things like editing through Frontpage Express. I tried the following but it's not working that well:

$q = $ENV{'QUERY_STRING'};
if ($q eq "") {
print "Use the main page";
}

For example, some of the sites won't let you open new windows while the user is logged. If you want to see an example of what I meant, please try web-dcent.com. After you logged and try to edit the address through the browser or try to open a new window, you'll get a error message. Thanks for your time and hope anyone can help.

-Aaron
 
Sort by date Sort by votes
well, your site seems to be down at the moment, but i might be able to help a little. i'm not sure what you mean by not working that well, but there are other things you can do to help this out. one variable to look at would be $ENV{HTTP_REFERER}, which is the last page the user was at. another is to change your site from having the query strings to using POSTed data. that way you could just check to see if the incoming data was POSTed or GETed (via $ENV{REQUEST_METHOD}). it may take a little more work to read in the data, depending on whether or not you're using the CGI module, but it's also a bit harder for people to get around having to POST data into a script (well, at least fewer high school aged hackers will know how, and having belonged to that crowd once, i can say that most eventually develop morals as they develop their skills. sometimes, in non-monetary situations, a little security to scare of kids is all you need(don't quote me on this)).
anyway, some very effective security schemes are available for emulation, but i really can't suggest one without having seen how your site is organized and controlled. you could also just do some general reading on internet security, which might give you some more ideas.
hope this helps some. "If you think you're too small to make a difference, try spending a night in a closed tent with a mosquito."
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

NewtownGuy
  • Locked
  • Question Question
avoiding premature end of script header when NO reply to IE desired
Replies
10
Views
218
NewtownGuy
NewtownGuy
martinasv
  • Locked
  • Question Question
avoiding MySQL error messages being printed out
Replies
1
Views
114
ishnid
ishnid
uniopp
  • Locked
  • Question Question
Form Input & Hacking
Replies
2
Views
75
goBoating
goBoating
Guest_imported
  • Locked
  • Question Question
Avoiding shell escapes
Replies
2
Views
69
MikeLacey
MikeLacey

Part and Inventory Search

Sponsor

Back
Top