Jump to content

Differentiating between POST from an application or browser


KaramChand

Recommended Posts

Hello,

In our product, we use PHP for webservices that is inbuilt in the app.

Basically, the tool calls the PHP over which is hosted over internet and communicates using XML.

We send the data as raw post and in the PHP we get it as:

$xmlrcvd = file_get_contents(“php://input”);

Now if the user accesses the page from the browser then no POST is sent and strlen($xmlrcvd) would be 0 which is correct.

But file_get_contents(..) is only available from 4.3.0 and above. Calling the script below that version throws up a fatal error.

I would like to check the PHP version before the above statement but would like to show different message if the file is requested by the browser or from the application.

What is the best way to do this? Add a custom header message or check if there is a valid POST available or not.
Link to comment
Share on other sites

[!--quoteo(post=381821:date=Jun 9 2006, 07:59 AM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ Jun 9 2006, 07:59 AM) [snapback]381821[/snapback][/div][div class=\'quotemain\'][!--quotec--]
[code]
<?php
   if (!$_POST) {
      //echo error msg
   } else {
      //run script
.
.
.
   }
?>
[/code]
[/quote]

I think this should solve the issue. Will check it up tomorrow from office and let you know how it went.
Link to comment
Share on other sites

Crayon, I think he wants the program to be able to tell the difference between a request coming from the browser and from his custom app.

Checking for POST is not reliable, and will leave you open to CSRF attacks. Like:

[code]<form action="http://www.yoursite.com" method="post">
<input name="amount_of_money_to_withdraw">
(...)[/code]

I hope you see that.

You can always change the app's USER_AGENT, add some custom headers, but this won't stop skilled users from forging these as well.

I would use tokens: a token is generated whenever you expect a request, then when the request comes check if the token is valid. This is the best way IMO if you are dealing with sensitive data.
Link to comment
Share on other sites

yeh i know that. i guess i just assumed he would pass a token, along with whatever other information. he specifically asked how the script could tell if it was being accessed directly through a browser vs. their app. I gave the short and simple answer. Inside that condition he would make another condition checking for his token.

I understood the question to be like this:

How can the script tell if it was being sent post info (from his program), vs. someone simply typing in www.blah.php in their browser.
Link to comment
Share on other sites

here is an interesting read about security and using ajax. the same principles apply. the whole thing is worth reading, but if you scroll down a bit to

[i][b]Sequence Numbering, kinda…[/b][/i] that's where it talks about token passing.

[a href=\"http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/\" target=\"_blank\"]http://www.darknet.org.uk/2006/04/ajax-is-...-secure-enough/[/a]
Link to comment
Share on other sites

Actuall $_POST dosnt work.

I am doing a WININET POST method from my C app but the PHP is always getting $_POST as NULL.

Is it because i am doing a raw post from my app and not through a variable which generally happens in a web app.

If you are comfortable with Wininet then I can post the WinInet Win32 code so that you help further.

-- Karam
Link to comment
Share on other sites

OK.

I think adding a custom HEADER info to the HTTP post is more reliable.

I have added a header like:

HttpAddRequestHeaders( m_HttpOpenRequest, "CustomApplicationName: Appname\r\n", -1, HTTP_ADDREQ_FLAG_ADD | HTTP_ADDREQ_FLAG_REPLACE )

Now I can set the header info in PHP using header(...) method but how to get value of a customer header in PHP i.e. the other way around :)
Link to comment
Share on other sites

Your code will send a custom header from the server to the browser. I don't if it is sent back with the next request from the browser. If it is, it should be seen with:

[code]print_r($_SERVER); //shows everything passed[/code]

--If it does appear, you can just retrieve it like this:

[code]$customheader = $_SERVER['customheadername'];[/code]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.