Validate Forms with random value

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
blacksnday
Forum Contributor
Posts: 252
Joined: Sat Jul 30, 2005 6:11 am
Location: bfe Ohio :(

Validate Forms with random value

Post by blacksnday »

The forms I use on my website, I originally checked referrer
and denied if referrer was anything but my domain.
Of course this can be tricked, and where that lacked my auth-image took over.

However... I wanted a better way to secure forms.
So I created a self-validating function.

What it does, is create a random value on each page load of the form.
Stores that value in a hidden field, then once the value is stored on form
it turns that value into a SESSION.
Once a user clicks the form's Submit button, The hidden field value is compared
with the session value. If it matches, then access is allowed to continue.
If it does not match, then we can safely assume the form was improperly accessed
and then we deny the submit attempt.

I also created a function to check for empty values... in case the submit page
is different then the form page, and the submit page was directly accessed.
In this case, since the form page was not accessed no random value was created,
so we check and deny if so.

Code: Select all

/** 
/**             Written on 12-15-05 by blacksnday for http://bashmyex.com
  *
  * auth_token - create auth token session value on forms
  *             if session value does not match form value we know form 
  *             was incorrectly accessed and we can deny the attempt
  * 
  * @param string $pre -  generates random secure_check string for hidden field on form
  *		once value created on form turn value into a session to be later compared
 *
  * @param string $after-  compares session value to form value for above string
  *                                      if form string does not match session string then we can
  *		          safely assume the submit page was accessed from an external 
  *		          website attempt at copying form and we then deny access
  *
  * @global $token  	- used in form hidden field: <input name='securecheck' type='hidden' value='$token' />
  *
  */ 
function auth_token($pre, $after){
	global $token;
	$deny_message = "your deny message here";
	
	if($pre)
	{
		$token = sha1(uniqid(rand(), true));
		$_SESSION['token'] = $token; 
		$_SESSION['token_timestamp'] = time(); 
	}

	if($after)
	{
		$correct_value 	= $_SESSION['token']; 
		$user_value 	= $_POST['securecheck'];
		if ($correct_value == $user_value) 
		{ 
  		unset($correct_value);
  		unset($user_value);
		} else { 
		echo $deny_message;
  		exit;
		}
	}
}

function empty_check($bash_form=TRUE)
{

$deny_message = "your deny message here";

	if($bash_form)
	{
	$deny_message = "your deny message here";
		if(!isset($_POST['securecheck']))
		{
			echo $deny_message;
			exit; 
		}else if(!isset($_SESSION['token']))
		{
		echo $deny_message;
		exit; 
		}
	}
}
Example Usage: form.php
(make sure to include file with above code on both form page
and submit form page)

Code: Select all

auth_token($pre=1, $after=0);

echo "
<form name='form' method='post' action='testformthanks.php'>
<input name='securecheck' type='hidden' value='$token' />
<label for='name'>Your Name: </label><br class='br' />
<input name='name' type='text' class='textfield'  id='name'  maxlength='24'  /><br class='br' />
<label for='text'>Your Text: </label><br class='br' />
<textarea cols='30' rows='5' name='text' id='text'></textarea><br class='br' />
<label for='submit'>&nbsp;</label><br class='br' /><br class='br' />
<input name='formsubmit' type='submit' class='submit' id='submit' value='submit' />
</form>
";
Example Usage: testformthanks.php

Code: Select all

empty_check($bash_form=1);
auth_token($pre=0, $after=1);
Post Reply