[SOLVED] Enforcing POST submission location

[phpknight]

As many do, I am considering checking my scripts to make sure the forms are being submitted from my site.  The problem with that is I wonder if certain browsers or firewalls can just block referrer value so I cannot access it.  In order words, is it possible that the value could just be NULL, and then I end up blocking real users?  I know when I track website referrers, the value is frequently not set, so wouldn't this be the same case when tracking script locations using PHP?

[GingerRobot]

Yep. Some firewalls and some browsers do block the http_referer. It can also be forged.

 

See this post for a discussion on it:

 

http://www.phpfreaks.com/forums/index.php/topic,165553.0.html

 

The solution: validate your forms properly. Do not rely on any html/javascript validation. Just because you have a select box, dont assume the data is one of the options. Just because you set a maximum size of 2, dont assume thats the maximum length you will recieve etc.

 

As long as you properly validate your form data, it doesn't matter where it comes from.

[phpknight]

Okay, I'll just keep doing what I am doing.  I can't stand javascript.  I am crazy about php form validation.  I just thought that would be an extra measure of protection against xss scripting if I could be certain that real users would not have issues.

[roopurt18]

I can't stand javascript.

 

Javascript is actually quite handy when used properly.  I used to have the same opinion as you do now back when I really didn't know the language.

[phpknight]

You might be right, but it can never be a replacement for server-side checks.  I have yet to find a good use for javascript--Yahoo! Mail even ruined AJAX, but please let me know what you like about it.  I do have the huge javascript book, but I am only a little way through it.

[Crew-Portal]

Assign each post variable with a function (Custom) So that even if the data is forged then you can make a error page like:

 

"Hey Dont You Try To Hack My Website! Get A Life! Obviously You Have No Friends And Live In Your Mothers Basement!"

 

Or something like that...

 

Sorry for my emotions I could post more but I probably would get my account banned. Its so fustrating getting your site hacked, so many SQL Querys to undo!

[rajivgonsalves]

Well you can make a md5 key store it in the session on accessing each form and pass it on as a hidden variable and on the next page check $_SESSION['md5_code'] == $_POST['md5_code'] something like that

[GingerRobot]

Well you can make a md5 key store it in the session on accessing each form and pass it on as a hidden variable and on the next page check $_SESSION['md5_code'] == $_POST['md5_code'] something like that

 

Indeed. But not fool proof. Hence why the only real solution is full validation of the form data.

[roopurt18]

but it can never be a replacement for server-side checks.

Absolutely.  The key part of my statement is when used correctly.  Replacing server side validation with Javascript validation on the client machine is a very improper use of Javascript.

 

Using Javascript to give hints to a valid user that the server will just reject their submission before they even submit it is a great use of Javascript.

 

There are many other great uses for it, but you really have to learn how to do it properly, part of which includes, IMO, not putting any Javascript in your HTML.