Hello all,

We created a simple extension with kickstarter and added custom code to it.
Everything seems to work fine except for one detail with which I'm not
happy. One of our PHP developers decided to submit the form to itself.
Normally I would post the form to a handler which checks the submitted data
and then submits this data (if the data adhered to specified rules) to the
database. As far as I know (in theory) this should be more secure. But how
to do this? Personally I'm not that advanced in PHP programming and TYPO3
and so I would post to -- for example-- 'process.php'. This wouldn't work
in our case because I want to 'echo' the submitted data again to the user
without leaving the location in the CMS. In addition it would be vulnerable
to sql injections because it would be wide open to the internet i.e. (post
to www.domain.com/process.php)

So the question: "How to process form data in typo3 effective and secure?"

Thanks in advance.

Regards,

Marco
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

hey,

in typo3 you kost to the system. And when your form is setup correctly
you will find the posted variables back in $this -> pivars['...'];

Then you can do your post processing, accept the values and do
something with them,
or show the form again and fill in the inputs.

Just make sure you understand how to setup forms and how to
create correct post/get names.

Ries

On Jun 2, 2007, at 6:21 PM, M.Couperus wrote:

> Hello all,
>
> We created a simple extension with kickstarter and added custom
> code to it.
> Everything seems to work fine except for one detail with which I'm not
> happy. One of our PHP developers decided to submit the form to itself.
> Normally I would post the form to a handler which checks the
> submitted data
> and then submits this data (if the data adhered to specified rules)
> to the
> database. As far as I know (in theory) this should be more secure.
> But how
> to do this? Personally I'm not that advanced in PHP programming
> and TYPO3
> and so I would post to -- for example-- 'process.php'. This
> wouldn't work
> in our case because I want to 'echo' the submitted data again to
> the user
> without leaving the location in the CMS. In addition it would be
> vulnerable
> to sql injections because it would be wide open to the internet
> i.e. (post
> to www.domain.com/process.php)
>
> So the question: "How to process form data in typo3 effective and
> secure?"
>
> Thanks in advance.
>
> Regards,
>
> Marco
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english

--
Ries van Twisk
Freelance Typo3 Developer
email: ries (AT) vantwisk (DOT) nl
web: http://www.rvantwisk.nl/
skype: callto://r.vantwisk




_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Hi,

So posting them to an array soemwhere in typo3 system if I understand you
correctly. Then getting those values with another php script. But as the
form is not iniating the 'get' script how to process the data?

What would be the best place in typo3 to post such data and how do I
initiate the new script? The script must display the posted form again and
if the data adhered to my specified rules it should be posted to the
database?

Thanks in adavance!

Marco


On 6/3/07, Ries van Twisk <typo3 (AT) rvt (DOT) dds.nl> wrote:
>
> hey,
>
> in typo3 you kost to the system. And when your form is setup correctly
> you will find the posted variables back in $this -> pivars['...'];
>
> Then you can do your post processing, accept the values and do
> something with them,
> or show the form again and fill in the inputs.
>
> Just make sure you understand how to setup forms and how to
> create correct post/get names.
>
> Ries
>
> On Jun 2, 2007, at 6:21 PM, M.Couperus wrote:
>
> > Hello all,
> >
> > We created a simple extension with kickstarter and added custom
> > code to it.
> > Everything seems to work fine except for one detail with which I'm not
> > happy. One of our PHP developers decided to submit the form to itself.
> > Normally I would post the form to a handler which checks the
> > submitted data
> > and then submits this data (if the data adhered to specified rules)
> > to the
> > database. As far as I know (in theory) this should be more secure.
> > But how
> > to do this? Personally I'm not that advanced in PHP programming
> > and TYPO3
> > and so I would post to -- for example-- 'process.php'. This
> > wouldn't work
> > in our case because I want to 'echo' the submitted data again to
> > the user
> > without leaving the location in the CMS. In addition it would be
> > vulnerable
> > to sql injections because it would be wide open to the internet
> > i.e. (post
> > to www.domain.com/process.php)
> >
> > So the question: "How to process form data in typo3 effective and
> > secure?"
> >
> > Thanks in advance.
> >
> > Regards,
> >
> > Marco
> > _______________________________________________
> > TYPO3-english mailing list
> > TYPO3-english (AT) lists (DOT) netfielders.de
> > http://lists.netfielders.de/cgi-bin/.../typo3-english
>
> --
> Ries van Twisk
> Freelance Typo3 Developer
> email: ries (AT) vantwisk (DOT) nl
> web: http://www.rvantwisk.nl/
> skype: callto://r.vantwisk
>
>
>
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english (AT) lists (DOT) netfielders.de
> http://lists.netfielders.de/cgi-bin/.../typo3-english
>
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english

Hi Marco,

I think you need to read up on Typo3 extension development as you seem
to have a lack of understanding of the basic concepts. There is basic
extension development tutorial available on Typo3.org:

http://typo3.org/documentation/docum...ic/0.0.8/view/

You might also want to have a look at how other extensions work - maybe
try finding one which provides similar functionality to the one are
trying to create and use it as a starting point.

It is a flawed misconception to think that 'submitting data to a handler
is safer than submitting data to itself' as this is makes no difference
whatsoever when it comes to 'security'.

In most cases securing PHP forms all comes down to how you handle
incoming requests, data validation & sanitisation and how this data then
interacts with your database or model. Whether this logic is in the same
controller which generates your form or a separate one is completely
irrelevant.

Hope this help,

Oliver

M.Couperus wrote:
> Hi,
>
> So posting them to an array soemwhere in typo3 system if I understand you
> correctly. Then getting those values with another php script. But as the
> form is not iniating the 'get' script how to process the data?
>
> What would be the best place in typo3 to post such data and how do I
> initiate the new script? The script must display the posted form again and
> if the data adhered to my specified rules it should be posted to the
> database?
>
> Thanks in adavance!
>
> Marco
>
>
> On 6/3/07, Ries van Twisk <typo3 (AT) rvt (DOT) dds.nl> wrote:
>>
>> hey,
>>
>> in typo3 you kost to the system. And when your form is setup correctly
>> you will find the posted variables back in $this -> pivars['...'];
>>
>> Then you can do your post processing, accept the values and do
>> something with them,
>> or show the form again and fill in the inputs.
>>
>> Just make sure you understand how to setup forms and how to
>> create correct post/get names.
>>
>> Ries
>>
>> On Jun 2, 2007, at 6:21 PM, M.Couperus wrote:
>>
>> > Hello all,
>> >
>> > We created a simple extension with kickstarter and added custom
>> > code to it.
>> > Everything seems to work fine except for one detail with which I'm not
>> > happy. One of our PHP developers decided to submit the form to itself.
>> > Normally I would post the form to a handler which checks the
>> > submitted data
>> > and then submits this data (if the data adhered to specified rules)
>> > to the
>> > database. As far as I know (in theory) this should be more secure.
>> > But how
>> > to do this? Personally I'm not that advanced in PHP programming
>> > and TYPO3
>> > and so I would post to -- for example-- 'process.php'. This
>> > wouldn't work
>> > in our case because I want to 'echo' the submitted data again to
>> > the user
>> > without leaving the location in the CMS. In addition it would be
>> > vulnerable
>> > to sql injections because it would be wide open to the internet
>> > i.e. (post
>> > to www.domain.com/process.php)
>> >
>> > So the question: "How to process form data in typo3 effective and
>> > secure?"
>> >
>> > Thanks in advance.
>> >
>> > Regards,
>> >
>> > Marco
>> > _______________________________________________
>> > TYPO3-english mailing list
>> > TYPO3-english (AT) lists (DOT) netfielders.de
>> > http://lists.netfielders.de/cgi-bin/.../typo3-english
>>
>> --
>> Ries van Twisk
>> Freelance Typo3 Developer
>> email: ries (AT) vantwisk (DOT) nl
>> web: http://www.rvantwisk.nl/
>> skype: callto://r.vantwisk
>>
>>
>>
>>
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english (AT) lists (DOT) netfielders.de
>> http://lists.netfielders.de/cgi-bin/.../typo3-english
>>


--
Oliver Rowlands
:: Liquid Light ::

E - oliver (AT) liquidlight (DOT) co.uk
W - http://www.liquidlight.co.uk

T - 00 44 (0)845 6 58 88 35
F - 00 44 (0)845 6 58 44 35
_______________________________________________
TYPO3-english mailing list
TYPO3-english (AT) lists (DOT) netfielders.de
http://lists.netfielders.de/cgi-bin/.../typo3-english