Chevy Posted April 11, 2007 Share Posted April 11, 2007 Is it possible to get the URL that the form submitted on? For security reasons a user could make a form off site and link it to that page, and do some bad stuff Is it possible to get the URL where the form came from? (Without putting it as a field in the form itself?) Quote Link to comment Share on other sites More sharing options...
boo_lolly Posted April 11, 2007 Share Posted April 11, 2007 i'd imagine you'd use curl. not sure tho. Quote Link to comment Share on other sites More sharing options...
per1os Posted April 11, 2007 Share Posted April 11, 2007 $_SERVER['HTTP_REFERRER'] But that is un-reliable. Your best bet is to use SESSION variables and when the page is loaded set that variable, and when you are checking the get portion, check to see if that session variable isset, if it is not chances are they just linked directly to the page. Quote Link to comment Share on other sites More sharing options...
only one Posted April 11, 2007 Share Posted April 11, 2007 yea, you can store a url in a database... <?php $url = $_SERVER['SERVER_NAME'] $_SERVER['PHP_SELF']; mysql_query("INSERT INTO table(`url`) VALUES ('http://$url')") //edit this ?> something like that? Quote Link to comment Share on other sites More sharing options...
Chevy Posted April 11, 2007 Author Share Posted April 11, 2007 Yea good idea Thanks Quote Link to comment Share on other sites More sharing options...
yzerman Posted April 11, 2007 Share Posted April 11, 2007 Simple solution that I use: In your form - define a constant Then check if that constant is defined in your submit form. i.e. form.php <?php define('MyForm', 'YourHardToGuessValue'); if (!defined('MyForm')) { die(hacking attempt); } //finish your form ?> add the same lines with your submit form submit.php <?php define('MyForm', 'YourHardToGuessValue'); if (!defined('MyForm')) { die(hacking attempt); } //finish your submit continual ?> Quote Link to comment Share on other sites More sharing options...
per1os Posted April 11, 2007 Share Posted April 11, 2007 yzerman, that does not really make any sense?? Because you are defining the constant in the submit and the form.php, so it will always return true...unless I am missing something, that script seems flawed... Quote Link to comment Share on other sites More sharing options...
yzerman Posted April 11, 2007 Share Posted April 11, 2007 For security reasons a user could make a form off site and link it to that page, and do some bad stuff Frost, if a user creates a form offsite - he does not define MyForm, because he does not know that that check is even there. Putting it in the form, and also the submit is something that I do for logging purposes, it is not necessary on the form unless the form posts to itsself, however it is necessary on the submit to be functional. So its always defined ONSITE, but never defined OFFSITE. You seeing where it makes sense and is not flawed? Quote Link to comment Share on other sites More sharing options...
boo_lolly Posted April 11, 2007 Share Posted April 11, 2007 For security reasons a user could make a form off site and link it to that page, and do some bad stuff Frost, if a user creates a form offsite - he does not define MyForm, because he does not know that that check is even there. Putting it in the form, and also the submit is something that I do for logging purposes, it is not necessary on the form unless the form posts to itsself, however it is necessary on the submit to be functional. frost is right. i would have mentioned that option, but all the person has to do is view the source code of the real form, and add that hidden input field to his attack form on his own page. Quote Link to comment Share on other sites More sharing options...
yzerman Posted April 11, 2007 Share Posted April 11, 2007 The define function, as long as it is behind <?php ?> tags, does not show up in view source unless you print out the defined constant. If someone has access to your source code, it is ineffective, but then you would have other issues to worry about. Quote Link to comment Share on other sites More sharing options...
per1os Posted April 11, 2007 Share Posted April 11, 2007 Alright, I will try and explain why it confuses me yzerman. Your logic makes sense but the code does not. That is why I suggested the session definition. because the session variable can travel from page to page without someone knowing. Given the code you posted anyone requesting that page can post to it because you are defining the constant inside the code all the time. It does not matter where I come from, you still define that constant. So whether I come from www.google.com or from www.disney.com I can still run your submit.php page due to the fact it is being defined. I would run a unit test if I were you to fully see what I am talking about. Basically the server-side code gets executed no matter what. Here is a working example of what would work: form.php <?php session_start(); if (!isset($_SESSION['onForm'])) $_SESSION['onForm'] = true; // processing here ?> submit.php <?php session_start(); if (!isset($_SESSION['onForm'])) die("Sorry, you came from an unknown site, please go here: http://www.site.com/form.php"); // processing here unset($_SESSION['onForm']); ?> That way the variable "onForm" should on be set on form.php and not also set on submit.php which means that in order to submit the form the person has to of been to form.php Let me know if that does not make sense, I can try and explain it better. Quote Link to comment Share on other sites More sharing options...
yzerman Posted April 11, 2007 Share Posted April 11, 2007 I stand corrected Quote Link to comment Share on other sites More sharing options...
verN Posted April 12, 2007 Share Posted April 12, 2007 how would one use seasons to get the url thanks since i am also using http refereer and belive this will create probblmes in the furture. thanks Quote Link to comment Share on other sites More sharing options...
Dragen Posted April 12, 2007 Share Posted April 12, 2007 what problems could http refereer cause? I was thinking of using it for my forms, but didn't realise there was any problems that may be caused by using it.. Quote Link to comment Share on other sites More sharing options...
per1os Posted April 12, 2007 Share Posted April 12, 2007 HTTP_REFERRER is very very un-reliable. It is easily spoofed and some clients do not permit it to be displayed. Anyone can manipulate HTTP_REFERRER and be able to access the site. I would highly suggest AGAINST using that as a check, due to the fact that many legitimate users will not be able to use your software and many illegitimate users will be able to abuse your software. Quote Link to comment Share on other sites More sharing options...
Dragen Posted April 12, 2007 Share Posted April 12, 2007 ok. thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.