Prevent other people from making PHP pages that POST to your forms?

[php_guy]

Let's say I have an HTML page with a form that submits data via POST. A user can click on "View source" and see the variables used.

 

What's to stop them from making their own page that POSTs to the same destination using the same variables? Any way to prevent this?

[BlueSkyIS]

I never worry about it. But if you are concerned, here is an article:

 

http://advancedphptutorial.blogspot.com/2010/04/prevent-form-post-request-from-another.html

[milesap]

Yes there is, simply make a hidden field in your form called 'uniqueId'. Set the value of that field to:

 

MD5(USERS_IP . SALT_STRING)

Example MD5(12.34.34.123 . 'XD657349');

 

Insert that into the hidden field, and on each form submission check to ensure the uniqueId is valid. Since the uniqueId is unique to each I.P, the form cannot be submitted without that unique ID thus rendering POSTs from other places useless.

[Namtip]

I just use form validation functions like preg_match or strlen to ensure that the data they enter is worthy anyway even if they do set up they own forms.

[php_guy]

Thanks for the replies all!

 

That's a neat little trick, milesap, I'd never thought of that. Presumably I would need a static IP which is pretty much always the case with websites anyway.

 

How much of a concern should this be anyway?

[litebearer]

taking milsap's idea a step further, rather than a hidden field - make it a session variable

[milesap]

To clarify, the IP address is the user requesting the form, not your hosting servers IP. Here's how it works:

 

1) User's navigates to your page and is presented with a legitimate form. This form contains the uniqueId found above.

 

2) When the user submits the form, the uniqueId is verified.

 

The reason this works is because if another website has a form linking (and posting) to your server, they now cannot do so since they lack the ability to generate valid unique ID's.

 

In general you don't need to worry about this, as long as the form data is valid there shouldn't be any concern. However there are times where it is useful. . . I've never needed to though!

 

Thanks for the replies all!

 

That's a neat little trick, milesap, I'd never thought of that. Presumably I would need a static IP which is pretty much always the case with websites anyway.

 

How much of a concern should this be anyway?

[Rifts]

Let's say I have an HTML page with a form that submits data via POST. A user can click on "View source" and see the variables used.

 

What's to stop them from making their own page that POSTs to the same destination using the same variables? Any way to prevent this?

 

What's stopping them from just submitting the same data through your own form? Why would they need to make a different one if its going to the same place?

[kenrbnsn]

What's stopping them from just submitting the same data through your own form? Why would they need to make a different one if its going to the same place?

Spammers screen scrape forms and then use their own code to send junk to your processing scripts trying to break them or to cause them to send spam. They don't want to take the time to actually fill in a form.

 

Ken

[ignace]

You can't trust any input and milesap's supposed solution doesn't work either (what prevents them from reading out the source of your form reading the value of the token placing it into their form and submitting it?). Nor does litebearer's solution, how do you determine the source with only a token on the server?

 

VALIDATE ANY AND ALL INPUT and reject it even if it's just a bit off.

[litebearer]

Curious as to why using session variable(s) [and OBVIOUSLY checking them] is not a valid method of determining the 'source' of data - YES validation and 'cleansing' should be done; but, isn't the use of sessions variable(s) one of the securer ways of determining where the data was submitted?

[ignace]

Curious as to why using session variable(s) [and OBVIOUSLY checking them] is not a valid method of determining the 'source' of data - YES validation and 'cleansing' should be done; but, isn't the use of sessions variable(s) one of the securer ways of determining where the data was submitted?

 

 

No. Sessions add state to HTTP not security.

[the182guy]

The IP method is unreliable due to some ISP's which change the users IP sometimes with each page request, for example AOL have be known to do this.