The source of the POST

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SGMH
Forum Newbie
Posts: 7
Joined: Sat Nov 04, 2006 9:23 pm

The source of the POST

Post by SGMH »

hii

i hope you are having a good day


when we have a php code that depends on informations from POST, i know i can always do a check the variables and make sure that they are safe to apply in my sql query, the thing is how can i make sure that this information is from the source that i want not from any other place :?:
i mean the variables are sent from the page that i want, not any other page, because from what i know anyone can design a page that do the post to my php ( if he knows the variables ) :?

thankx :)
Last edited by SGMH on Sat Nov 04, 2006 10:24 pm, edited 1 time in total.
SGMH
Forum Newbie
Posts: 7
Joined: Sat Nov 04, 2006 9:23 pm

Post by SGMH »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


it will be great if you can have a look at my code too

Code: Select all

<?php

//--------------------------------------  Check if the 1st 32 strings in this variable are numbers
if ( is_numeric(substr($_POST[ccname],0,32)) )
   {
   	$ccname = $_POST[ccname];
   } else {
	die('');
   }
//-------------------------------------- check if this variable is a number
if ( is_numeric($_POST[ddnumber]) )
   {
   	$ddnumber = $_POST[ddnumber];
   } else {
	die('');
   }
//-------------------------------------- check if this variable is a number
if ( is_numeric($_POST[fsize]) )
   {
   	$fsize = $_POST[fsize];
   } else {
	die('');
   }
//--------------------------------------
$ipouploader = $_SERVER['REMOTE_ADDR'];
//--------------------------------------

$con = mysql_connect("localhost","*****","*****");
if (!$con)
  {
  //die('Could not connect: ' . mysql_error());
  die('');
  }

$nowdate = date("Y/m/d");

mysql_select_db("*****", $con);

$sql="INSERT INTO Files (ccname, ddnumber, fsize, ipouploader, date) 
VALUES
('$ccname','$ddnumber','$fsize','$ipouploader','$nowdate')";

if (!mysql_query($sql,$con))
  {
  //die('Error: ' . mysql_error());
  die('');
  }
echo "Done";

mysql_close($con);
?>

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by SGMH on Sat Nov 04, 2006 10:46 pm, edited 1 time in total.
SGMH
Forum Newbie
Posts: 7
Joined: Sat Nov 04, 2006 9:23 pm

Post by SGMH »

sorry about that i was just fixing it but , you were one step ahead :roll:

thanx for ur help
Last edited by SGMH on Sat Nov 04, 2006 10:26 pm, edited 1 time in total.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: The source of the POST

Post by timvw »

SGMH wrote:the thing is how can i make sure that this information is from the source that i want not from any other place
You simply can't as Http has no knowledge of 'source page'...

(You could add a 'unique id' to each form... this way, when you process a request you can verify if the token is present.. Unless the user has visited that specific page he can't have the token.. but this system would suffer the same vulnerabilities a session system has.. So you might want to do some investigation first...)
SGMH
Forum Newbie
Posts: 7
Joined: Sat Nov 04, 2006 9:23 pm

Post by SGMH »

small thing to add, the variables i have is beeing POSTed from a software ( VB6 )

thanks timvw for ur help i will look into sessions, i will look into how to do that while posting from the software


what if i have uploading form how can i protect it so people won't be able to design a page that could use my form to upload from their site!!! that just seems too fragile


if anybody have a hint i will be greatful
Post Reply