Page 1 of 1
Secure that FORM submited from the expected page...
Posted: Fri Apr 27, 2007 4:02 am
by NTGr
Hello.
I always wanted to ask this ....
HOW CAN BE SURE that the values submited from the proper FORM/PAGE ???
What i mean:
Lets say that i want to use a form that submits infos to the same page...
Code: Select all
<form name="form1" method="post" action="same_page.php">
<input type="text" name="textfield">
<input type="submit" name="Submit" value="Submit">
</form>
How can be sure that the values Submited from same_page.php and NOT from another ???
Posted: Fri Apr 27, 2007 4:14 am
by matthijs
You (almost) can't. And it shouldn't matter, because on the receiving page you should validate/filter ALL incoming data anyway.
There is a way to sort of check it, using secret tokens:
Code: Select all
session_start();
if (isset($_POST['message']))
{
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
{
// do stuff. Start with validating everything.
}
}
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;
?>
<form method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="message"><br />
<input type="submit">
</form>
From
http://phpsec.org/projects/guide/2.html
But then you still have to validate everything, so in the end it's only an extra.
Posted: Fri Apr 27, 2007 4:18 am
by onion2k
Short answer: You can't.
Long answer: You can check that the HTTP_REFERER variable refers to the script that you're expecting the input to come from, but it's not very reliable. Browsers don't have to pass it, so someone can be a legitimate user and still have an empty referer. Also, if someone is especially determined they can fake the referer. It's barely worth the effort of checking it.
Another approach is to add a hidden variable to the form with a random value, and store the same value in the user's session when the form is sent to the user. If the input comes back without the right value you can ignore the form. That approach relies on using sessions though, if your site doesn't then it won't work.
Whatever the case, never trust the incoming data. Always validate it.
EDIT: Deja vu!

Posted: Fri Apr 27, 2007 5:34 am
by NTGr
Thnx both.
Of Caurse ALL User Input MUST VALIDATED...
But i asked this cause i plan , each time that this kind of EXTRA PROTECTION fail ,
To..
1st)Log-OUT the USER(since in my case ONLY registered Users Can POST Infos)
2nd) Temp-Bann the IP
3rd)E-mail security ADMIN that something goes wrong..
4th) Can you think something more ???
I m planing this for MORE extra security....AND TO DELAY THE ATTACKER !!!
What you think???
Posted: Fri Apr 27, 2007 8:58 am
by Theory?
Now what about in PHP 6. They've added a GOTO and COMEFROM statement (which I know from Pascal...oh joy), but will that work cross page? Does anyone know?