Example - say I have this form to signup and my target is insert.php (BTW - insert.php breaks down an object instantiated from a class (in this case called user) by matching the posted variable names to the classes setters and getters, it then calls another generic class that breaks down the object to create the SQL string. I've also simplified the amount of fields in this example.
<fieldset id="signup_menu"> <form method="post" id="signup" action="insert.php"> <p> <label for="username"> Username</label> <input id="username" name="username" value="" title="username" type="text" /> </p> <p> <label for="password"> Password</label> <input id="password" name="password" value="" title="password" type="password" /> </p> <p> <input id="signup_submit" value="Sign up" type="submit" /> </p> </form> </fieldset>
Now if I changed the target to update.php (I obviously wouldn't call the files update, and insert) someone would be able to update current user info. Even if I had a specific update for user credentials just having generics available on the server cause a risk.
Does anyone have any suggestions of precautions to take against potential hackers changing html on the fly?
I know there is encryption software to change HTML source to gibberish, but which one is the best?
Any thoughts would be appreciated as I'm unsure which security measures need to be taken first.