htaccess and direct access
Moderator: General Moderators
htaccess and direct access
Hi,
I have a form in my website user uses to send their advertisement.The form's action is : action="./entry/send.php"
The problem is that everyone from every where can post advert. to send.php script.
I want to restrict direct access to send.php so that only when data comes from my domain name, will be sent.
How can I do that?Thanks
I have a form in my website user uses to send their advertisement.The form's action is : action="./entry/send.php"
The problem is that everyone from every where can post advert. to send.php script.
I want to restrict direct access to send.php so that only when data comes from my domain name, will be sent.
How can I do that?Thanks
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Create something likein a session variable. Store that in your form too inside a hidden field. When you get a submission, verify that the session variable matches (exactly) the hidden field in the submission.
Moved to security.
Code: Select all
sha1(uniqid())Moved to security.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Add a hidden form field called "sent_by" and set its value to your script name...
Then check to make sure it is the value you expect on the submit page. This is not foolproof and could still be spoofed. Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
Code: Select all
<input type="hidden" name="sent_by" value="<?php echo "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . $_SERVER['PHP_SELF']; ?>" />- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I did point that out in my response.Everah wrote:This is not foolproof and could still be spoofed.
This is a better alternative because the random session var can be set to any value you want. A hacker would have to find a way to figure out the value you set in the session var AND be able to spoof a session var.Everah wrote:Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
ah yeah i didn't bother to read that bitAnother thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.