Differentiating between POST from an application or browser

[KaramChand]

Hello,

In our product, we use PHP for webservices that is inbuilt in the app.

Basically, the tool calls the PHP over which is hosted over internet and communicates using XML.

We send the data as raw post and in the PHP we get it as:

$xmlrcvd = file_get_contents(“php://input”);

Now if the user accesses the page from the browser then no POST is sent and strlen($xmlrcvd) would be 0 which is correct.

But file_get_contents(..) is only available from 4.3.0 and above. Calling the script below that version throws up a fatal error.

I would like to check the PHP version before the above statement but would like to show different message if the file is requested by the browser or from the application.

What is the best way to do this? Add a custom header message or check if there is a valid POST available or not.

[.josh]

[code]
<?php
   if (!$_POST) {
      //echo error msg
   } else {
      //run script
.
.
.
   }
?>
[/code]

[Fyorl]

the phpversion() function can be used to check the version of PHP running. You can read up on it [a href=\"http://php.net/phpversion\" target=\"_blank\"]here[/a]

[KaramChand]

[!--quoteo(post=381821:date=Jun 9 2006, 07:59 AM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ Jun 9 2006, 07:59 AM) [snapback]381821[/snapback][/div][div class=\'quotemain\'][!--quotec--]
[code]
<?php
   if (!$_POST) {
      //echo error msg
   } else {
      //run script
.
.
.
   }
?>
[/code]
[/quote]

I think this should solve the issue. Will check it up tomorrow from office and let you know how it went.

[poirot]

Crayon, I think he wants the program to be able to tell the difference between a request coming from the browser and from his custom app.

Checking for POST is not reliable, and will leave you open to CSRF attacks. Like:

[code]<form action="http://www.yoursite.com" method="post">
<input name="amount_of_money_to_withdraw">
(...)[/code]

I hope you see that.

You can always change the app's USER_AGENT, add some custom headers, but this won't stop skilled users from forging these as well.

I would use tokens: a token is generated whenever you expect a request, then when the request comes check if the token is valid. This is the best way IMO if you are dealing with sensitive data.

[.josh]

yeh i know that. i guess i just assumed he would pass a token, along with whatever other information. he specifically asked how the script could tell if it was being accessed directly through a browser vs. their app. I gave the short and simple answer. Inside that condition he would make another condition checking for his token.

I understood the question to be like this:

How can the script tell if it was being sent post info (from his program), vs. someone simply typing in www.blah.php in their browser.

[KaramChand]

Hmmm.....

POST works for me as of now but I would like it to be more secure.

More info on the token part?

Sorry, but I am more of a C programmer then PHP :)

[.josh]

here is an interesting read about security and using ajax. the same principles apply. the whole thing is worth reading, but if you scroll down a bit to

[i][b]Sequence Numbering, kinda…[/b][/i] that's where it talks about token passing.

[a href=\"http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/\" target=\"_blank\"]http://www.darknet.org.uk/2006/04/ajax-is-...-secure-enough/[/a]

[KaramChand]

Actuall $_POST dosnt work.

I am doing a WININET POST method from my C app but the PHP is always getting $_POST as NULL.

Is it because i am doing a raw post from my app and not through a variable which generally happens in a web app.

If you are comfortable with Wininet then I can post the WinInet Win32 code so that you help further.

-- Karam

[KaramChand]

OK.

I think adding a custom HEADER info to the HTTP post is more reliable.

I have added a header like:

HttpAddRequestHeaders( m_HttpOpenRequest, "CustomApplicationName: Appname\r\n", -1, HTTP_ADDREQ_FLAG_ADD | HTTP_ADDREQ_FLAG_REPLACE )

Now I can set the header info in PHP using header(...) method but how to get value of a customer header in PHP i.e. the other way around :)

[mainewoods]

Your code will send a custom header from the server to the browser. I don't if it is sent back with the next request from the browser. If it is, it should be seen with:

[code]print_r($_SERVER); //shows everything passed[/code]

--If it does appear, you can just retrieve it like this:

[code]$customheader = $_SERVER['customheadername'];[/code]

[poirot]

As I said, there is nothing that can avoid people from faking these headers as well. I'd use tokens...