using $_POST variables to attack site.........

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kryles
Forum Contributor
Posts: 114
Joined: Fri Feb 01, 2008 7:52 am

using $_POST variables to attack site.........

Post by kryles »

Hi, how do you protect from other sites sending post information to your site. For instance if I make a form that sends $_POST value to the textbox in google. Now using that theory but a more malicious way, how would I protect my site from other sites sending $POST to mine. Would I always check using the HTTP_REFERER first? Or is there some other way?

Sorry if it isn't clear :drunk:

Thanks,
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Re: using $_POST variables to attack site.........

Post by Zoxive »

I would not recommend using "referrer", as that can be turned of.

However you could use something along the lines of, generating a random string/timestamp storing that in a session. Then when the post is submitted check if that exists, or matches the session string.

There are still ways around this however. Just some food for thought.
User avatar
Peter Anselmo
Forum Commoner
Posts: 58
Joined: Wed Feb 27, 2008 7:22 pm

Re: using $_POST variables to attack site.........

Post by Peter Anselmo »

Although this doesn't stop people from submitting data to your page, It seems appropriate to mention the practice of validating ALL of your input on the server side. Even though your form may only have integer values for a select list, validate it as an integer on the server anyway. This mitigates the damage a malicious user could do even if it doesn't stop them from posting.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Re: using $_POST variables to attack site.........

Post by Ambush Commander »

What you are describing is called CSRF. The usual way to stop this is, with every form on your site, generate a unique, random token and save it in a user token/cookie. Then, make sure that the form submits that token. If it's an external website, they have no way of getting this token and you're safe.

BTW, this problem is more prevalent than you might imagine. A lot of people think POST is "safe", but it's really not: it's trivially easy to construct a form that auto-submits itself onto another website.
Post Reply