Forum OpenACS Q&A: Response to Securing form submissions

Collapse
Posted by Ben Adida on
There is no way to figure that out unless you add significant
cryptographic tricks with unique form tokens and such (I don't
know anyone who has done that).

In general, you need to consider that every page on your web site
is a program with inputs that can be manipulated by a
mischievous individual. You *cannot* trust any of the inputs to
your web page. Thus, you must check that supposed integers
are indeed integers. You must ensure that you don't send the
user_id back and forth as a hidden form variable. Etc.... Every
input to your web page should be considered insecure.

Web security is hard....