How do I check who sent me a post?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Greffin
Forum Newbie
Posts: 7
Joined: Tue May 12, 2009 3:49 am

How do I check who sent me a post?

Post by Greffin »

Hi.

I'm trying to set up some security around a small script of mine. It exists to transfer one file from one server to another through https post. But I do not want to receive posts from any other box than one particular server. How can I test this?
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: How do I check who sent me a post?

Post by JakeJ »

Is the script on the sender server or the receiver server?
Greffin
Forum Newbie
Posts: 7
Joined: Tue May 12, 2009 3:49 am

Re: How do I check who sent me a post?

Post by Greffin »

Ok, this is the same scenario as described in viewtopic.php?f=34&t=129640. I threw out my attemts at ssh transfers, as ssh.shell or ssh.tunnel transfers does not support unlink, which is a requirement. Also my client preferes not to use ftp in any form.
So, to recap on that issue; Two php servers are communicating. The first one needs to transfer a file to the second one, but I want the second server to only accept files from the first server. Noone else. This requires me to check if the sender actually is my first server.
I was thinking in lines of checking for post headers or something like that.
Or perhaps I can use SSL in cURL? I allready have set up a public/private key... Anybody know how to do this?
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: How do I check who sent me a post?

Post by JakeJ »

There are plenty of articles on SSL and curl. I guess it depends on how secure you want to get.

You know that curl can do ftp right? Why would your client care as long as they don't have to actually interact with the FTP themselves. And FTP supports authentication (use secure FTP obviously).

But, if they're that insistent on FTP not being involved at all, it should be a simple matter of sending the file with a form that uses authentication. The script on the client side would have the user name and password, you could also throw in some other parameters to get certain host information and send it as form fields just for extra security. If you're worried about someone with physical access to the server copying the script and applying it to a different machine that presents a whole new set of problems but it sounds like you just want a basic sanity check, not super tight security.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: How do I check who sent me a post?

Post by pickle »

If you POST the file, the receiving server can check the remote IP (for the receiving server, the remote IP will be the IP of the sending server). If the remote IP matches what you've hardcoded, process $_POST.

If you're worried about IP spoofing though, this wouldn't work.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply