Stopping other scripts/sites POSTing data to mine

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

Stopping other scripts/sites POSTing data to mine

Post by batfastad »

Hi everyone

Obviously there's no way to stop other scripts and sites actually sending data to my scripts, unless I firewall them out or something... not ideal for a public website.

But is there a way for PHP to detect this and ignore the input if it's not from my form/script?
Using the referer header is a basic solution, but this is easily faked and not to be trusted.

Any comments/suggestions?
Thanks, B
User avatar
php_east
Forum Contributor
Posts: 453
Joined: Sun Feb 22, 2009 1:31 pm
Location: Far Far East.

Re: Stopping other scripts/sites POSTing data to mine

Post by php_east »

nothing that comes to your door can be trusted, but you could use PHP uniqid and spinkle them on your forms, with some more added salt, and check for these value son your form, and you woud have a decent means of at least keeping the simple forms from getting through.
User avatar
batfastad
Forum Contributor
Posts: 433
Joined: Tue Mar 30, 2004 4:24 am
Location: London, UK

Re: Stopping other scripts/sites POSTing data to mine

Post by batfastad »

Ah ok, that could work.
I do check that every value is what I expect before it goes into a DB

However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?

Cheers, B
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: Stopping other scripts/sites POSTing data to mine

Post by Mark Baker »

batfastad wrote:However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?
As php_east has suggested:

Create an additional field in your form, hidden or not, that holds a unique value (such as the result of sha1(uniqid(rand(), true))). When you create this field, store the value in session: when the data is posted, compare the value in the field with that held in session. If the two don't match, reject the form processing
Not perfect, but requires a lot more effort to emulate.
Post Reply