Page 1 of 1

using $_POST variables to attack site.........

Posted: Fri Mar 07, 2008 3:38 pm
by kryles
Hi, how do you protect from other sites sending post information to your site. For instance if I make a form that sends $_POST value to the textbox in google. Now using that theory but a more malicious way, how would I protect my site from other sites sending $POST to mine. Would I always check using the HTTP_REFERER first? Or is there some other way?

Sorry if it isn't clear :drunk:

Thanks,

Re: using $_POST variables to attack site.........

Posted: Fri Mar 07, 2008 3:51 pm
by Zoxive
I would not recommend using "referrer", as that can be turned of.

However you could use something along the lines of, generating a random string/timestamp storing that in a session. Then when the post is submitted check if that exists, or matches the session string.

There are still ways around this however. Just some food for thought.

Re: using $_POST variables to attack site.........

Posted: Fri Mar 07, 2008 8:36 pm
by Peter Anselmo
Although this doesn't stop people from submitting data to your page, It seems appropriate to mention the practice of validating ALL of your input on the server side. Even though your form may only have integer values for a select list, validate it as an integer on the server anyway. This mitigates the damage a malicious user could do even if it doesn't stop them from posting.

Re: using $_POST variables to attack site.........

Posted: Fri Mar 07, 2008 11:14 pm
by Ambush Commander
What you are describing is called CSRF. The usual way to stop this is, with every form on your site, generate a unique, random token and save it in a user token/cookie. Then, make sure that the form submits that token. If it's an external website, they have no way of getting this token and you're safe.

BTW, this problem is more prevalent than you might imagine. A lot of people think POST is "safe", but it's really not: it's trivially easy to construct a form that auto-submits itself onto another website.