Jump to content

Ensuring pages are submitted by my page not another location

Chips

By Chips
in PHP Coding Help

 Share

Recommended Posts

Chips Member

Chips

Posted
Posted
Trying to stop someone making their own page submit to my servers page - ie if I have a validation.php, and I have a login.php or register.php that processes the form to validation.php (or maybe if it processes it to itself) - i wish to prevent someone from running a script that processes [i]their[/i] form on [i]their[/i] server from submitting to [i]my[/i] validation.php page.

Essentially I have some select fields with values, obviously the input is only of what I devise, so I never did any error checking upon it at this time. Now, obviously, I should - but I also wish to check where the data is coming from, to prevent others from trying to submit to my page.

Does this make any sense?
I noted http_reffer from http://uk.php.net/reserved.variables BUT it does mention that this shouldn't be trusted explicitly. Anyone have any suggestions?
Link to comment
Share on other sites
play_ Advanced Member

play_

Posted
Posted
Well, you could assign a variable something and check it on validation.php.

so on register.php, you could do something like
$a = "this var must be set";

then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".

and you could also do sessions.

or, do all 3 for maximum security.
Link to comment
Share on other sites
GingerRobot Regular Member

GingerRobot

Posted
Posted
Basically, the only way to make form data 100% reliable is to thoroughly check it. Although http_reffer could be used, it will cause problems as some firewalls prevent if from being sent and browsers can be configured so that it is not sent. It can also be faked.
Link to comment
Share on other sites
Chips Member

Chips

Posted
  • Author
Posted
[quote author=play_ link=topic=100027.msg394304#msg394304 date=1152524672]
Well, you could assign a variable something and check it on validation.php.

so on register.php, you could do something like
$a = "this var must be set";

then on validation.php, you could check if $a exists, and if it does, does it hold the string "this var must be set".

and you could also do sessions.

or, do all 3 for maximum security.
[/quote]

Hehe, thanks - I did consider sessions, but I have another thing that checks the URL entered whenever a page is loaded for things like SELECT ' UNION LIKE etc... all of which don't exist in my site, so would indicate a possible/potential attack. Was hoping there maybe some generic solution I could similarly apply to every page with just a lil bit of coding in the index.php (as everything "goes through" that anyway) that would do similiar.

Robots right though, http_reffer isn't reliable enough to be used, at which point I was kind of floundering :P I'll go with the sessions idea unless anyone else can chip in - so many thanks in advance.
Link to comment
Share on other sites
GingerRobot Regular Member

GingerRobot

Posted
Posted
I could be wrong, but even with sessions this still could be exploited. For instance, say your person opens the page with the form on in one window. The session will be created. They then modify the source of the form in another, and link to your validation. The session will exist so the modified form will be checked.
Link to comment
Share on other sites
AV1611 Advanced Member

AV1611

Posted
Posted
Well, i'm in over my head, but I always create my session at index.php then I create a variable for each page at the page it comes from... I'm not a hacker, but I don't know if they can inject, but I feel fairly safe...

I don't do stuff with money, though, mostly corp intranet stuff... and I live in West Virginia, where the average IQ is like 80 - which is how I got to be an IT Manager... I knew where the power button was, and, well, they were impressed by my working knowledge...  (I'm an Cali Transplant)  :P
Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted
You really can't check if form data really is sent from your page. It doesn't even matter as you can change the page by sending JavaScript from the address bar, and you can tamper the data that is being sent from your page. The user will always (unless they've got some spy-/adware or a virus) be in control of the data they send in the browser.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.