Page 1 of 1
Stopping other scripts/sites POSTing data to mine
Posted: Thu Mar 19, 2009 6:03 am
by batfastad
Hi everyone
Obviously there's no way to stop other scripts and sites actually sending data to my scripts, unless I firewall them out or something... not ideal for a public website.
But is there a way for PHP to detect this and ignore the input if it's not from my form/script?
Using the referer header is a basic solution, but this is easily faked and not to be trusted.
Any comments/suggestions?
Thanks, B
Re: Stopping other scripts/sites POSTing data to mine
Posted: Thu Mar 19, 2009 6:11 am
by php_east
nothing that comes to your door can be trusted, but you could use PHP uniqid and spinkle them on your forms, with some more added salt, and check for these value son your form, and you woud have a decent means of at least keeping the simple forms from getting through.
Re: Stopping other scripts/sites POSTing data to mine
Posted: Fri Mar 27, 2009 6:05 am
by batfastad
Ah ok, that could work.
I do check that every value is what I expect before it goes into a DB
However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?
Cheers, B
Re: Stopping other scripts/sites POSTing data to mine
Posted: Fri Mar 27, 2009 6:12 am
by Mark Baker
batfastad wrote:However all it needs is someone to know my form structure and which fields are required etc and someone can easily insert records.
Is that correct, or is there something more basic I'm missing here?
As php_east has suggested:
Create an additional field in your form, hidden or not, that holds a unique value (such as the result of sha1(uniqid(rand(), true))). When you create this field, store the value in session: when the data is posted, compare the value in the field with that held in session. If the two don't match, reject the form processing
Not perfect, but requires a lot more effort to emulate.