htaccess and direct access

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
erinther
Forum Newbie
Posts: 19
Joined: Sun Dec 11, 2005 2:07 pm

htaccess and direct access

Post by erinther »

Hi,
I have a form in my website user uses to send their advertisement.The form's action is : action="./entry/send.php"
The problem is that everyone from every where can post advert. to send.php script.
I want to restrict direct access to send.php so that only when data comes from my domain name, will be sent.
How can I do that?Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Check the referrer? (unreliable)

Adding a ~random, unique token to the form can help. Randomizing the field names used can help too. There's no absolute way.. and it shouldn't really matter as long as you filter the data submitted.
erinther
Forum Newbie
Posts: 19
Joined: Sun Dec 11, 2005 2:07 pm

How?

Post by erinther »

How I can add a ~random, unique ? I'm newbie to php so I'll be grteful if you can help me.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Create something like

Code: Select all

sha1(uniqid())
in a session variable. Store that in your form too inside a hidden field. When you get a submission, verify that the session variable matches (exactly) the hidden field in the submission.

Moved to security.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Check the referrer? (unreliable)
I wouldn't personally use the word unreliable. Tests using this are in fact insecure. Simple fact is that referrer is a request header so any client any modify it.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Add a hidden form field called "sent_by" and set its value to your script name...

Code: Select all

<input type="hidden" name="sent_by" value="<?php echo "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . $_SERVER['PHP_SELF']; ?>" />
Then check to make sure it is the value you expect on the submit page. This is not foolproof and could still be spoofed. Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Well then all a hacker has to do, Everah, is to send the hidden value in the post data as well. Not exactly hard.
This is why the id has to be unique.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Everah wrote:This is not foolproof and could still be spoofed.
I did point that out in my response.
Everah wrote:Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
This is a better alternative because the random session var can be set to any value you want. A hacker would have to find a way to figure out the value you set in the session var AND be able to spoof a session var.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
ah yeah i didn't bother to read that bit :D. yeah that's a much better suggestion
Post Reply