Jump to content


Photo

Differentiating between POST from an application or browser


  • Please log in to reply
11 replies to this topic

#1 KaramChand

KaramChand
  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 09 June 2006 - 12:51 PM

Hello,

In our product, we use PHP for webservices that is inbuilt in the app.

Basically, the tool calls the PHP over which is hosted over internet and communicates using XML.

We send the data as raw post and in the PHP we get it as:

$xmlrcvd = file_get_contents(“php://input”);

Now if the user accesses the page from the browser then no POST is sent and strlen($xmlrcvd) would be 0 which is correct.

But file_get_contents(..) is only available from 4.3.0 and above. Calling the script below that version throws up a fatal error.

I would like to check the PHP version before the above statement but would like to show different message if the file is requested by the browser or from the application.

What is the best way to do this? Add a custom header message or check if there is a valid POST available or not.


#2 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 09 June 2006 - 12:59 PM

<?php
   if (!$_POST) {
      //echo error msg
   } else {
      //run script
.
.
.
   }
?>

Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#3 Fyorl

Fyorl
  • Members
  • PipPipPip
  • Advanced Member
  • 273 posts
  • LocationUK

Posted 09 June 2006 - 01:55 PM

the phpversion() function can be used to check the version of PHP running. You can read up on it [a href=\"http://php.net/phpversion\" target=\"_blank\"]here[/a]
[table]



Don't worry, the printer fairies will sort it out.

#4 KaramChand

KaramChand
  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 09 June 2006 - 03:00 PM

[!--quoteo(post=381821:date=Jun 9 2006, 07:59 AM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ Jun 9 2006, 07:59 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
<?php
   if (!$_POST) {
      //echo error msg
   } else {
      //run script
.
.
.
   }
?>
[/quote]

I think this should solve the issue. Will check it up tomorrow from office and let you know how it went.

#5 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 09 June 2006 - 04:30 PM

Crayon, I think he wants the program to be able to tell the difference between a request coming from the browser and from his custom app.

Checking for POST is not reliable, and will leave you open to CSRF attacks. Like:

<form action="http://www.yoursite.com" method="post">
<input name="amount_of_money_to_withdraw">
(...)

I hope you see that.

You can always change the app's USER_AGENT, add some custom headers, but this won't stop skilled users from forging these as well.

I would use tokens: a token is generated whenever you expect a request, then when the request comes check if the token is valid. This is the best way IMO if you are dealing with sensitive data.
~ D Kuang

#6 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 09 June 2006 - 04:39 PM

yeh i know that. i guess i just assumed he would pass a token, along with whatever other information. he specifically asked how the script could tell if it was being accessed directly through a browser vs. their app. I gave the short and simple answer. Inside that condition he would make another condition checking for his token.

I understood the question to be like this:

How can the script tell if it was being sent post info (from his program), vs. someone simply typing in www.blah.php in their browser.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#7 KaramChand

KaramChand
  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 10 June 2006 - 07:39 AM

Hmmm.....

POST works for me as of now but I would like it to be more secure.

More info on the token part?

Sorry, but I am more of a C programmer then PHP :)

#8 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 10 June 2006 - 07:59 AM

here is an interesting read about security and using ajax. the same principles apply. the whole thing is worth reading, but if you scroll down a bit to

Sequence Numbering, kinda… that's where it talks about token passing.

[a href=\"http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/\" target=\"_blank\"]http://www.darknet.org.uk/2006/04/ajax-is-...-secure-enough/[/a]
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#9 KaramChand

KaramChand
  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 10 June 2006 - 08:14 AM

Actuall $_POST dosnt work.

I am doing a WININET POST method from my C app but the PHP is always getting $_POST as NULL.

Is it because i am doing a raw post from my app and not through a variable which generally happens in a web app.

If you are comfortable with Wininet then I can post the WinInet Win32 code so that you help further.

-- Karam

#10 KaramChand

KaramChand
  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 10 June 2006 - 08:37 AM

OK.

I think adding a custom HEADER info to the HTTP post is more reliable.

I have added a header like:

HttpAddRequestHeaders( m_HttpOpenRequest, "CustomApplicationName: Appname\r\n", -1, HTTP_ADDREQ_FLAG_ADD | HTTP_ADDREQ_FLAG_REPLACE )

Now I can set the header info in PHP using header(...) method but how to get value of a customer header in PHP i.e. the other way around :)

#11 mainewoods

mainewoods
  • Members
  • PipPipPip
  • Advanced Member
  • 685 posts
  • LocationMaine

Posted 10 June 2006 - 10:03 PM

Your code will send a custom header from the server to the browser. I don't if it is sent back with the next request from the browser. If it is, it should be seen with:

print_r($_SERVER); //shows everything passed

--If it does appear, you can just retrieve it like this:

$customheader = $_SERVER['customheadername'];


#12 poirot

poirot
  • Members
  • PipPipPip
  • Advanced Member
  • 646 posts
  • LocationAustin, TX

Posted 10 June 2006 - 10:07 PM

As I said, there is nothing that can avoid people from faking these headers as well. I'd use tokens...
~ D Kuang




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users