Jump to content

Archived

This topic is now archived and is closed to further replies.

Prismatic

Check where POST data came from?

Recommended Posts

On my forums i'm developing I dont want to allow anyone to send any POST data from any off-site sources. What would be the best method to thwart this?

If it helps to check against these, my config holds the following information

[code]
//Cookie Settings
$CookieDomain =".mysite.com";

//Board Header Information.
$SiteName = "MySite"; //Appears at the start of top links, IE. [Site Name] Board Name >> ...
$SiteURL = "http://www.mysite.com"; //Link for SiteName

$BoardName = "My Boards"; //Appears at the start of top links, IE. [Site Name] Board Name >> ...
$BoardURL = "http://www.MySite.com/Boards/"; //Link for BoardName
[/code]

Share this post


Link to post
Share on other sites
Best option would be to make sure your users are logged in (session) before they can post.

Share this post


Link to post
Share on other sites
I do that anyway, I just want to make sure they arn't sending a modified post from their own server.


And when I say post, I mean $_POST[''], not post as in a message to the forums, as I might have implied in the origonal post. Modified origonal post to clarify.

Share this post


Link to post
Share on other sites
I thought your question to be intriguing so i checked it out under my own system.  The solution I came up with was to check the variable

$_SERVER["HTTP_REFERER"]

this holds the senders uri

hope this helps.

Share this post


Link to post
Share on other sites
http_referer cannot be trusted, it can be spoofed. Also, some firewalls prevent the data from being sent and browsers can be setup to not send it too.

Share this post


Link to post
Share on other sites
if a user logs in, and presses the button to reply, you can generate a random encrypted code. Only their message-post with this encrypted code should be accepted. It not fully waterproof, but it will keep away a lot of these 'off-site' posted data.

Share this post


Link to post
Share on other sites
Not sure what you mean by using the encrypted code, where/when do I check this code? and against what?

Share this post


Link to post
Share on other sites
When you generate the form, INSERT a row with a Unique MD5 Hash, their Member ID and the date. Put the MD5 Hash in a hidden field, aswell as the date.
Then, on the receiving page, check that the Hash is valid, that it matches the User_id that created it and that too much time has not elapsed.

Share this post


Link to post
Share on other sites
As was mentioned, this is still not a total solution; someone could easily look at the page's source and view the hidden field and its contents.

Do not rely on these things to work, make sure you fully validate the information from the form.

Share this post


Link to post
Share on other sites
Oh of course, I always validate the info :)

What do you think a good time would be to allow?

Share this post


Link to post
Share on other sites
Depends on how many fields the user has to fill and how many text he has to write. Best is to test it for yourself and see how long it takes .

Share this post


Link to post
Share on other sites
If this is scripts where people are going to be posting a topic/reply, you'll want to make sure that the time limit is quite long. Also, i would make sure you dont just give an error, make sure you return their orginal text incase someone was typing something long and loses it.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.