Jump to content


Photo

Ensuring pages are submitted by my page not another location


  • Please log in to reply
8 replies to this topic

#1 Chips

Chips
  • Members
  • PipPipPip
  • Advanced Member
  • 68 posts

Posted 10 July 2006 - 09:27 AM

Trying to stop someone making their own page submit to my servers page - ie if I have a validation.php, and I have a login.php or register.php that processes the form to validation.php (or maybe if it processes it to itself) - i wish to prevent someone from running a script that processes their form on their server from submitting to my validation.php page.

Essentially I have some select fields with values, obviously the input is only of what I devise, so I never did any error checking upon it at this time. Now, obviously, I should - but I also wish to check where the data is coming from, to prevent others from trying to submit to my page.

Does this make any sense?
I noted http_reffer from http://uk.php.net/reserved.variables BUT it does mention that this shouldn't be trusted explicitly. Anyone have any suggestions?

#2 play_

play_
  • Staff Alumni
  • Advanced Member
  • 717 posts

Posted 10 July 2006 - 09:44 AM

Well, you could assign a variable something and check it on validation.php.

so on register.php, you could do something like
$a = "this var must be set";

then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".

and you could also do sessions.

or, do all 3 for maximum security.
regex.kat.sh --- regex library
u.kat.sh ---- url shortener
tabbit.org ---- tabbed pastebin

#3 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 10 July 2006 - 09:45 AM

Basically, the only way to make form data 100% reliable is to thoroughly check it. Although http_reffer could be used, it will cause problems as some firewalls prevent if from being sent and browsers can be configured so that it is not sent. It can also be faked.

#4 Chips

Chips
  • Members
  • PipPipPip
  • Advanced Member
  • 68 posts

Posted 10 July 2006 - 09:55 AM

Well, you could assign a variable something and check it on validation.php.

so on register.php, you could do something like
$a = "this var must be set";

then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".

and you could also do sessions.

or, do all 3 for maximum security.


Hehe, thanks - I did consider sessions, but I have another thing that checks the URL entered whenever a page is loaded for things like SELECT ' UNION LIKE etc... all of which don't exist in my site, so would indicate a possible/potential attack. Was hoping there maybe some generic solution I could similarly apply to every page with just a lil bit of coding in the index.php (as everything "goes through" that anyway) that would do similiar.

Robots right though, http_reffer isn't reliable enough to be used, at which point I was kind of floundering :P I'll go with the sessions idea unless anyone else can chip in - so many thanks in advance.

#5 AV1611

AV1611
  • Members
  • PipPipPip
  • Advanced Member
  • 997 posts

Posted 10 July 2006 - 09:56 AM

Create a session and a session variable that is = to the hash of a word, then verify the session and correct hash are used...
they have to know the word and the type of hash to come from a foreign script

#6 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 10 July 2006 - 09:57 AM

I could be wrong, but even with sessions this still could be exploited. For instance, say your person opens the page with the form on in one window. The session will be created. They then modify the source of the form in another, and link to your validation. The session will exist so the modified form will be checked.

#7 AV1611

AV1611
  • Members
  • PipPipPip
  • Advanced Member
  • 997 posts

Posted 10 July 2006 - 11:11 AM

Well, i'm in over my head, but I always create my session at index.php then I create a variable for each page at the page it comes from... I'm not a hacker, but I don't know if they can inject, but I feel fairly safe...

I don't do stuff with money, though, mostly corp intranet stuff... and I live in West Virginia, where the average IQ is like 80 - which is how I got to be an IT Manager... I knew where the power button was, and, well, they were impressed by my working knowledge...  (I'm an Cali Transplant)  :P

#8 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 10 July 2006 - 11:59 AM

You really can't check if form data really is sent from your page. It doesn't even matter as you can change the page by sending JavaScript from the address bar, and you can tamper the data that is being sent from your page. The user will always (unless they've got some spy-/adware or a virus) be in control of the data they send in the browser.

#9 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 10 July 2006 - 12:21 PM

just add a random number that the user on your site got to enter to get the informtion they want.

that way if a user is using your form  there got 1 in billon to get it right.

good luck.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users