Jump to content


Photo

Check where POST data came from?


  • Please log in to reply
14 replies to this topic

#1 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 16 July 2006 - 04:44 AM

On my forums i'm developing I dont want to allow anyone to send any POST data from any off-site sources. What would be the best method to thwart this?

If it helps to check against these, my config holds the following information

//Cookie Settings
$CookieDomain =".mysite.com";

//Board Header Information.
$SiteName = "MySite"; //Appears at the start of top links, IE. [Site Name] Board Name >> ...
$SiteURL = "http://www.mysite.com"; //Link for SiteName

$BoardName = "My Boards"; //Appears at the start of top links, IE. [Site Name] Board Name >> ...
$BoardURL = "http://www.MySite.com/Boards/"; //Link for BoardName


#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 16 July 2006 - 05:04 AM

Best option would be to make sure your users are logged in (session) before they can post.

#3 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 16 July 2006 - 05:06 AM

I do that anyway, I just want to make sure they arn't sending a modified post from their own server.


And when I say post, I mean $_POST[''], not post as in a message to the forums, as I might have implied in the origonal post. Modified origonal post to clarify.

#4 quimbo

quimbo
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 16 July 2006 - 05:41 AM

I thought your question to be intriguing so i checked it out under my own system.  The solution I came up with was to check the variable

$_SERVER["HTTP_REFERER"]

this holds the senders uri

hope this helps.

#5 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 16 July 2006 - 10:01 AM

http_referer cannot be trusted, it can be spoofed. Also, some firewalls prevent the data from being sent and browsers can be setup to not send it too.

#6 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 17 July 2006 - 07:37 AM

Any other ideas?

#7 CheesierAngel

CheesierAngel
  • Members
  • PipPipPip
  • Advanced Member
  • 105 posts
  • LocationBelgium

Posted 17 July 2006 - 07:58 AM

if a user logs in, and presses the button to reply, you can generate a random encrypted code. Only their message-post with this encrypted code should be accepted. It not fully waterproof, but it will keep away a lot of these 'off-site' posted data.

#8 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 17 July 2006 - 08:10 AM

Not sure what you mean by using the encrypted code, where/when do I check this code? and against what?

#9 ShogunWarrior

ShogunWarrior
  • Members
  • PipPipPip
  • Advanced Member
  • 528 posts
  • LocationIreland

Posted 17 July 2006 - 09:37 AM

When you generate the form, INSERT a row with a Unique MD5 Hash, their Member ID and the date. Put the MD5 Hash in a hidden field, aswell as the date.
Then, on the receiving page, check that the Hash is valid, that it matches the User_id that created it and that too much time has not elapsed.
<a href="http://www.daviddora...nmedia.com/">My New Site/Blog</a> | <a href="http://www.daviddora...m/check/">Check your page for broken links/images/scripts</a>

Zend Certified Engineer
Follow me on Twitter: http://twitter.com/davidd

#10 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 17 July 2006 - 09:55 AM

Sounds good :) Thanks for the tip :)

#11 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 17 July 2006 - 09:58 AM

As was mentioned, this is still not a total solution; someone could easily look at the page's source and view the hidden field and its contents.

Do not rely on these things to work, make sure you fully validate the information from the form.

#12 Prismatic

Prismatic
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego

Posted 17 July 2006 - 10:05 AM

Oh of course, I always validate the info :)

What do you think a good time would be to allow?

#13 CheesierAngel

CheesierAngel
  • Members
  • PipPipPip
  • Advanced Member
  • 105 posts
  • LocationBelgium

Posted 17 July 2006 - 10:11 AM

Depends on how many fields the user has to fill and how many text he has to write. Best is to test it for yourself and see how long it takes .

#14 GingerRobot

GingerRobot
  • Staff Alumni
  • Advanced Member
  • 4,086 posts
  • LocationUK

Posted 17 July 2006 - 10:18 AM

If this is scripts where people are going to be posting a topic/reply, you'll want to make sure that the time limit is quite long. Also, i would make sure you dont just give an error, make sure you return their orginal text incase someone was typing something long and loses it.

#15 ShogunWarrior

ShogunWarrior
  • Members
  • PipPipPip
  • Advanced Member
  • 528 posts
  • LocationIreland

Posted 17 July 2006 - 10:24 AM

It could be anything, it's just another restraint, not particularly neccessary.
<a href="http://www.daviddora...nmedia.com/">My New Site/Blog</a> | <a href="http://www.daviddora...m/check/">Check your page for broken links/images/scripts</a>

Zend Certified Engineer
Follow me on Twitter: http://twitter.com/davidd




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users