Page 1 of 1

htaccess and direct access

Posted: Thu Apr 06, 2006 2:45 am
by erinther
Hi,
I have a form in my website user uses to send their advertisement.The form's action is : action="./entry/send.php"
The problem is that everyone from every where can post advert. to send.php script.
I want to restrict direct access to send.php so that only when data comes from my domain name, will be sent.
How can I do that?Thanks

Posted: Thu Apr 06, 2006 9:11 am
by feyd
Check the referrer? (unreliable)

Adding a ~random, unique token to the form can help. Randomizing the field names used can help too. There's no absolute way.. and it shouldn't really matter as long as you filter the data submitted.

How?

Posted: Thu Apr 06, 2006 10:08 am
by erinther
How I can add a ~random, unique ? I'm newbie to php so I'll be grteful if you can help me.

Posted: Thu Apr 06, 2006 10:12 am
by feyd
Create something like

Code: Select all

sha1(uniqid())
in a session variable. Store that in your form too inside a hidden field. When you get a submission, verify that the session variable matches (exactly) the hidden field in the submission.

Moved to security.

Posted: Thu Apr 06, 2006 6:44 pm
by Ollie Saunders
Check the referrer? (unreliable)
I wouldn't personally use the word unreliable. Tests using this are in fact insecure. Simple fact is that referrer is a request header so any client any modify it.

Posted: Thu Apr 06, 2006 7:15 pm
by RobertGonzalez
Add a hidden form field called "sent_by" and set its value to your script name...

Code: Select all

<input type="hidden" name="sent_by" value="<?php echo "http://" . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']) . $_SERVER['PHP_SELF']; ?>" />
Then check to make sure it is the value you expect on the submit page. This is not foolproof and could still be spoofed. Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.

Posted: Thu Apr 06, 2006 7:21 pm
by Ollie Saunders
Well then all a hacker has to do, Everah, is to send the hidden value in the post data as well. Not exactly hard.
This is why the id has to be unique.

Posted: Thu Apr 06, 2006 11:23 pm
by RobertGonzalez
Everah wrote:This is not foolproof and could still be spoofed.
I did point that out in my response.
Everah wrote:Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
This is a better alternative because the random session var can be set to any value you want. A hacker would have to find a way to figure out the value you set in the session var AND be able to spoof a session var.

Posted: Fri Apr 07, 2006 1:59 am
by Ollie Saunders
Another thing you can do is use session vars. From the PHP page that generates the form set a session var called "auth_sender" and set it equal to something only you know. On the result page look for that session var and value. That is something that cannot be sent from someone other than the developer of the send/result script.
ah yeah i didn't bother to read that bit :D. yeah that's a much better suggestion