Hi everyone
Obviously there's no way to stop other scripts and sites actually sending data to my scripts, unless I firewall them out or something... not ideal for a public website.
But is there a way for PHP to detect this and ignore the input if it's not from my form/script?
Using the referer header is a basic solution, but this is easily faked and not to be trusted.
Any comments/suggestions?
Thanks, B
Stopping other scripts/sites POSTing data to mine
Moderator: General Moderators
Re: Stopping other scripts/sites POSTing data to mine
nothing that comes to your door can be trusted, but you could use PHP uniqid and spinkle them on your forms, with some more added salt, and check for these value son your form, and you woud have a decent means of at least keeping the simple forms from getting through.
Re: Stopping other scripts/sites POSTing data to mine
Ah ok, that could work.
I do check that every value is what I expect before it goes into a DB
However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?
Cheers, B
I do check that every value is what I expect before it goes into a DB
However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?
Cheers, B
-
Mark Baker
- Forum Regular
- Posts: 710
- Joined: Thu Oct 30, 2008 6:24 pm
Re: Stopping other scripts/sites POSTing data to mine
As php_east has suggested:batfastad wrote:However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?
Create an additional field in your form, hidden or not, that holds a unique value (such as the result of sha1(uniqid(rand(), true))). When you create this field, store the value in session: when the data is posted, compare the value in the field with that held in session. If the two don't match, reject the form processing
Not perfect, but requires a lot more effort to emulate.