2

I am developing a joomla component and I want to know what is the best secure way to POST and GET data through a form submit.

<form action="index.php?<?php echo JUtility::getToken()?>=1" method="post" name="adminForm">    
    <input type="hidden" name="option" value="<?php echo OPTIOIN_NAME; ?>" />
    <input type="hidden" name="task" value="save" />
    <input type="hidden" name="controller" value="mycontroller" />
    <input type="hidden" name="id" value="<?php echo $this->my_data->id; ?>" />


    <?php echo JHTML::_('form.token');?>

    //my code is here

</form>

model.php

function getPostData(){

     if (!JRequest::checkToken('REQUEST')) {
         // return 403 error
         JError::raiseError(403, JText::_('ALERTNOAUTH'));
         // belt and braces approach to guarantee the script stops
         jexit('Invalid Token');
  }

     $this->_data->id = JRequest::getVar('id', 0, 'POST', 'INT');
     //....


}

This is the way I am sending data and I don't know this is a good method or not. Please Help.

Sara
  • 14,098
  • 13
  • 34
  • 50
  • What do you mean by secure? What kind of attack do you want to prevent? – Thilo Nov 24 '11 at 05:20
  • 2
    Well I am sending credit card details so I want to send it in a better secure way. I am yet a novice to joomla :) and don't know what kind of attacks I may face. – Sara Nov 24 '11 at 05:25
  • For credit card details use HTTPS. That secures the data in transit. And then you need to secure your database to keep that data safe. But that is outside the scope of this question. – Thilo Nov 24 '11 at 05:50

1 Answers1

2

I think this method you use is ok. Just one thing: if you're getting the data from POST, I guess your token will be available in POST too, so your call to JRequest::checkToken( 'REQUEST' ) could be changed to JRequest::checkToken( 'post' ). Another important thing is that you should always use $db->Quote() method if your manually crafting database queries using vars from request. Finally, as Thilo said, you should use HTTPS for "critical" transactions such as payments.

I hope it helped!

alghimo
  • 2,899
  • 18
  • 11