Check where POST data came from?

[Prismatic]

On my forums i'm developing I dont want to allow anyone to send any POST data from any off-site sources. What would be the best method to thwart this?

If it helps to check against these, my config holds the following information

[code]
//Cookie Settings
$CookieDomain =".mysite.com";

//Board Header Information.
$SiteName = "MySite"; //Appears at the start of top links, IE. [Site Name] Board Name >> ...
$SiteURL = "http://www.mysite.com"; //Link for SiteName

$BoardName = "My Boards"; //Appears at the start of top links, IE. [Site Name] Board Name >> ...
$BoardURL = "http://www.MySite.com/Boards/"; //Link for BoardName
[/code]

[trq]

Best option would be to make sure your users are logged in (session) before they can post.

[Prismatic]

I do that anyway, I just want to make sure they arn't sending a modified post from their own server.


And when I say post, I mean $_POST[''], not post as in a message to the forums, as I might have implied in the origonal post. Modified origonal post to clarify.

[quimbo]

I thought your question to be intriguing so i checked it out under my own system.  The solution I came up with was to check the variable

$_SERVER["HTTP_REFERER"]

this holds the senders uri

hope this helps.

[GingerRobot]

http_referer cannot be trusted, it can be spoofed. Also, some firewalls prevent the data from being sent and browsers can be setup to not send it too.

[Prismatic]

Any other ideas?

[CheesierAngel]

if a user logs in, and presses the button to reply, you can generate a random encrypted code. Only their message-post with this encrypted code should be accepted. It not fully waterproof, but it will keep away a lot of these 'off-site' posted data.

[Prismatic]

Not sure what you mean by using the encrypted code, where/when do I check this code? and against what?

[ShogunWarrior]

When you generate the form, INSERT a row with a Unique MD5 Hash, their Member ID and the date. Put the MD5 Hash in a hidden field, aswell as the date.
Then, on the receiving page, check that the Hash is valid, that it matches the User_id that created it and that too much time has not elapsed.

[Prismatic]

Sounds good :) Thanks for the tip :)

[GingerRobot]

As was mentioned, this is still not a total solution; someone could easily look at the page's source and view the hidden field and its contents.

Do not rely on these things to work, make sure you fully validate the information from the form.

[Prismatic]

Oh of course, I always validate the info :)

What do you think a good time would be to allow?

[CheesierAngel]

Depends on how many fields the user has to fill and how many text he has to write. Best is to test it for yourself and see how long it takes .

[GingerRobot]

If this is scripts where people are going to be posting a topic/reply, you'll want to make sure that the time limit is quite long. Also, i would make sure you dont just give an error, make sure you return their orginal text incase someone was typing something long and loses it.

[ShogunWarrior]

It could be anything, it's just another restraint, not particularly neccessary.