form action
Moderator: General Moderators
form action
How do I make sure a forms contents are only being processed from my domain?
For instance, I recently had a guy save my forms HTML to his computer, alter a select box, and input an option that wasn't in the option list. He submitted this altered form to my PHP script, and it processed it.
I'm guessing somewhere in the $_SERVER I can check to make sure the form is only being submitted from my domain?
For instance, I recently had a guy save my forms HTML to his computer, alter a select box, and input an option that wasn't in the option list. He submitted this altered form to my PHP script, and it processed it.
I'm guessing somewhere in the $_SERVER I can check to make sure the form is only being submitted from my domain?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: form action
You could use $_SERVER['HTTP_REFERER'], but you can cloak that pretty easily. What would make more sense is to run a server side check on whether the option sent is actually an allowed option.scrotaye wrote: I'm guessing somewhere in the $_SERVER I can check to make sure the form is only being submitted from my domain?
Like so:
Code: Select all
$bla = $_POST['bla'];
$allowed = array(1, 2, 3);
if (!in_array($bla, $allowed)) {
die('Hax0r!!!1');
}hmm, how would $_SERVER['HTTP_REFERRER'] be fooled?
And i think i shall combine both security options to be safe.
And i think i shall combine both security options to be safe.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
checking the sent information against what generated the form on the submitting page.. that's the only real way to make sure.. referrer isn't reliable in any direction. Remember: verify, validate, and sanitize anything that comes from any external source. If you are truely paranoid, you even do that for internal sources..
well i am going to check to make sure its coming from my domain first of all...
that should thwart off some people, since apparently faking the http_referrer is possible.
then i can begin the process of checking all my select boxes to make sure the option they chose is in the select box.
why can't everyone just be nice instead of being hax0ring bastards
that should thwart off some people, since apparently faking the http_referrer is possible.
then i can begin the process of checking all my select boxes to make sure the option they chose is in the select box.
why can't everyone just be nice instead of being hax0ring bastards
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- n00b Saibot
- DevNet Resident
- Posts: 1452
- Joined: Fri Dec 24, 2004 2:59 am
- Location: Lucknow, UP, India
- Contact:
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
One method of disuasion is to add a token to every form requested from your site, validate this against the user's session stored token (both should equal) or else discard the request entirely. Also the usual input filtering; if its not expected, don't accept it. $_SERVER variables based on user sourced data are never trustworthy. Being completely paranoid I actually discard everything in $_SERVER unless required. Much of its contents need to be properly filtered before use either way - its not trustworthy in any shape or form since much is (whether the majority of developers realise it or not) sourced in user data, and can be tainted as easily as the traditional POST, GET, COOKIE...
The token practice isn't foolproof (obviously) but it's another inconvenience to overcome. Even obscurity is worthwhile if it forces a hacker to edit their script for every single request... Filtering is the key here however.
The token practice isn't foolproof (obviously) but it's another inconvenience to overcome. Even obscurity is worthwhile if it forces a hacker to edit their script for every single request... Filtering is the key here however.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland