Jump to content

Prevent other people from making PHP pages that POST to your forms?


Recommended Posts

Let's say I have an HTML page with a form that submits data via POST. A user can click on "View source" and see the variables used.

 

What's to stop them from making their own page that POSTs to the same destination using the same variables? Any way to prevent this?

Yes there is, simply make a hidden field in your form called 'uniqueId'. Set the value of that field to:

 

MD5(USERS_IP . SALT_STRING)

Example MD5(12.34.34.123 . 'XD657349');

 

Insert that into the hidden field, and on each form submission check to ensure the uniqueId is valid. Since the uniqueId is unique to each I.P, the form cannot be submitted without that unique ID thus rendering POSTs from other places useless.

Thanks for the replies all!

 

That's a neat little trick, milesap, I'd never thought of that. Presumably I would need a static IP which is pretty much always the case with websites anyway.

 

How much of a concern should this be anyway?

To clarify, the IP address is the user requesting the form, not your hosting servers IP. Here's how it works:

 

1) User's navigates to your page and is presented with a legitimate form. This form contains the uniqueId found above.

 

2) When the user submits the form, the uniqueId is verified.

 

The reason this works is because if another website has a form linking (and posting) to your server, they now cannot do so since they lack the ability to generate valid unique ID's.

 

In general you don't need to worry about this, as long as the form data is valid there shouldn't be any concern. However there are times where it is useful. . . I've never needed to though!

 

Thanks for the replies all!

 

That's a neat little trick, milesap, I'd never thought of that. Presumably I would need a static IP which is pretty much always the case with websites anyway.

 

How much of a concern should this be anyway?

Let's say I have an HTML page with a form that submits data via POST. A user can click on "View source" and see the variables used.

 

What's to stop them from making their own page that POSTs to the same destination using the same variables? Any way to prevent this?

 

What's stopping them from just submitting the same data through your own form? Why would they need to make a different one if its going to the same place?

What's stopping them from just submitting the same data through your own form? Why would they need to make a different one if its going to the same place?

Spammers screen scrape forms and then use their own code to send junk to your processing scripts trying to break them or to cause them to send spam. They don't want to take the time to actually fill in a form.

 

Ken

You can't trust any input and milesap's supposed solution doesn't work either (what prevents them from reading out the source of your form reading the value of the token placing it into their form and submitting it?). Nor does litebearer's solution, how do you determine the source with only a token on the server?

 

VALIDATE ANY AND ALL INPUT and reject it even if it's just a bit off.

Curious as to why using session variable(s) [and OBVIOUSLY checking them] is not a valid method of determining the 'source' of data - YES validation and 'cleansing' should be done; but, isn't the use of sessions variable(s) one of the securer ways of determining where the data was submitted?

Curious as to why using session variable(s) [and OBVIOUSLY checking them] is not a valid method of determining the 'source' of data - YES validation and 'cleansing' should be done; but, isn't the use of sessions variable(s) one of the securer ways of determining where the data was submitted?

 

 

No. Sessions add state to HTTP not security.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.