Hacking Prevention on Forms!!!!!

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

It depends on how you're using it -- in your case, it sounds like the worst that would happen is denied access for browsers that don't send the header (very few). Just as long as it's not used to grant access by itself, because it's easily changed.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

ianhull wrote:Thanks for that Aaron,

Didn't know it was unreliable, it has always been fine for me (strike of luck?) :)
By default most browsers Send the Referrer information, but the user can optionally disable it.
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

Post by ianhull »

thanks guys, didn't know that,

I am thinking of using a encrypted session key which will be generated everytime the form loads.

any thoughts, suggestions?

Thanks in advance
FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

good way to stop people posting from outside your server

Post by FireElement »

This is nice little token code.

I found at this site. http://shiflett.org/articles/cross-site ... -forgeries
Also there is time out one aswel although am not making login area so I will not need that.

Code: Select all

if (!isset($_SESSION['token'])) {
     $_SESSION['token'] = md5(uniqid(rand(), TRUE));
}

if ($_POST['token'] == $_SESSION['token'])
{
     /* Valid Token */
 }
If you use this then there is no real way the user can know your token code and post it.
ianhull
Forum Contributor
Posts: 310
Joined: Tue Jun 14, 2005 10:04 am
Location: Hull England UK

Post by ianhull »

Thanks fire, that is excellent! :D
FireElement
Forum Commoner
Posts: 86
Joined: Wed Oct 17, 2007 6:03 pm

Post by FireElement »

ianhull wrote:Thanks fire, that is excellent! :D
No problem!
Post Reply