Secure that FORM submited from the expected page...

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
NTGr
Forum Newbie
Posts: 14
Joined: Fri Mar 30, 2007 11:28 am

Secure that FORM submited from the expected page...

Post by NTGr »

Hello.
I always wanted to ask this ....
HOW CAN BE SURE that the values submited from the proper FORM/PAGE ???
What i mean:
Lets say that i want to use a form that submits infos to the same page...

Code: Select all

<form name="form1" method="post" action="same_page.php">
  <input type="text" name="textfield">
<input type="submit" name="Submit" value="Submit">
</form>
How can be sure that the values Submited from same_page.php and NOT from another ???
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

You (almost) can't. And it shouldn't matter, because on the receiving page you should validate/filter ALL incoming data anyway.

There is a way to sort of check it, using secret tokens:

Code: Select all

session_start();

if (isset($_POST['message']))
{
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
    {
        // do stuff. Start with validating everything.

    }
}

$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

?>

<form method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="message"><br />
<input type="submit">
</form>
From http://phpsec.org/projects/guide/2.html

But then you still have to validate everything, so in the end it's only an extra.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Short answer: You can't.

Long answer: You can check that the HTTP_REFERER variable refers to the script that you're expecting the input to come from, but it's not very reliable. Browsers don't have to pass it, so someone can be a legitimate user and still have an empty referer. Also, if someone is especially determined they can fake the referer. It's barely worth the effort of checking it.

Another approach is to add a hidden variable to the form with a random value, and store the same value in the user's session when the form is sent to the user. If the input comes back without the right value you can ignore the form. That approach relies on using sessions though, if your site doesn't then it won't work.

Whatever the case, never trust the incoming data. Always validate it.

EDIT: Deja vu! :D
NTGr
Forum Newbie
Posts: 14
Joined: Fri Mar 30, 2007 11:28 am

Post by NTGr »

Thnx both.
Of Caurse ALL User Input MUST VALIDATED...
But i asked this cause i plan , each time that this kind of EXTRA PROTECTION fail ,
To..
1st)Log-OUT the USER(since in my case ONLY registered Users Can POST Infos)
2nd) Temp-Bann the IP
3rd)E-mail security ADMIN that something goes wrong..
4th) Can you think something more ???

I m planing this for MORE extra security....AND TO DELAY THE ATTACKER !!!

What you think???
Theory?
Forum Contributor
Posts: 138
Joined: Wed Apr 11, 2007 10:43 am

Post by Theory? »

Now what about in PHP 6. They've added a GOTO and COMEFROM statement (which I know from Pascal...oh joy), but will that work cross page? Does anyone know?
Post Reply