[SOLVED] Identify server that posted data. Is this possible?

[nevesgodnroc]

I am looking into the security aspects of a site, and would like to know if there is any way to identify the source of the data that is posted to the php page responsible for processing the data.

 

in other words I only wantt he php code to process the data if the data was posted from a form hosted on my server.

 

any help on this would be greatly appreciated. Thank you

[teng84]

add a hidden field in your form then before processing check if that form is from your site you may use this $_SERVER['HTTP_HOST']

 

 

[phpQuestioner]

<?php

$mydomain="http://www.yourdomain.com"; // change to your domain name

$url = $_SERVER['HTTP_REFERER'];

$myhost = parse_url($url);

$check = "$myhost[host]";

if ($check != $mydomain)
{
echo "<h1>Authorization Denied</h1>";
exit;
}
else {
// process form action
}

?> 

[teng84]

yes $_SERVER['HTTP_REFERER'] 

[phpQuestioner]

yeah, yeah, yeah - miss print - I was trying to beat you to the draw 

[teng84]

yeah, yeah, yeah - miss print - I was trying to beat you to the draw 

 

y? i dont care !  all i do is post my ideas to waste my time!

[phpQuestioner]

actually my first code would not have worked any way - I just tested it, but the code below will work.

 

<?php

$mydomain="yourdomain.com";  // change to your domain name

$url = $_SERVER['HTTP_REFERER'];

$domain = parse_url($url);

if ($domain[host] != $mydomain) {
echo "<h1>Authorization Denied</h1>";
exit;
}
else {
// process form action
echo "Processing Complete";
}

?> 

 

 

PS: teng84 - just for fun - just wasting time too and yes I did use $_SERVER['HTTP_REFERER'] in this script because this person is wanting to prevent forms from outside his/her domain from accessing his/her processing script - so yes that would work in this situation. 

 

yeah, yeah, yeah - miss print - I was trying to beat you to the draw 

 

y? i dont care !  all i do is post my ideas to waste my time!

[nevesgodnroc]

That is Great but I want to be able to stop some one from being able to view the source tehn save it to their PC and run it from there.  If they view the source the will get all the info they need to iether run my exact form with a few modification from their PC or from any other server.

 

Maybe I am looking at theis the wrong way.  What if I blocked being ableto view the source?

huh

[trq]

You can't reliably block the source from being viewed. The best option is to set a $_SESSION variable on your form page, then check for its existence on the process page. $_SERVER['HTTP_REFERER'] is unreliable at best as it can easily be spooked or not sent at all.

[pkSML]

You can't reliably block the source from being viewed. The best option is to set a $_SESSION variable on your form page, then check for its existence on the process page. $_SERVER['HTTP_REFERER'] is unreliable at best as it can easily be spooked or not sent at all.

 

I never thought of that before. Sessions are a great idea! And a session-based captcha would be a further security.

 

Sessions *almost* guarantee your server originated the form that the user is submitting.

[nevesgodnroc]

Yes I think that teh session will work for me.

 

Let me make sure my thought behind it is correct though.

 

At the top of my form to submit I will start a session and set some session variable to 'a value'

on the script processing page before processing script i check if $_SESSION[somevar] == 'a value'

 

Is that right?  I am at work right now and i cannot tranfer files up to my server in order to test it out.

 

Also Sessions are new to me and I have only just read a couple of tutorials on them. Could anyone tell me how the server knows that the user has closed the browser. Or maybe a place were i can read up more on how sessions work  I like to have a good understanding of things before i put them in my code.

[pkSML]

Yes I think that teh session will work for me.

 

Let me make sure my thought behind it is correct though.

 

At the top of my form to submit I will start a session and set some session variable to 'a value'

on the script processing page before processing script i check if $_SESSION[somevar] == 'a value'

 

Is that right?  I am at work right now and i cannot tranfer files up to my server in order to test it out.

 

Also Sessions are new to me and I have only just read a couple of tutorials on them. Could anyone tell me how the server knows that the user has closed the browser. Or maybe a place were i can read up more on how sessions work  I like to have a good understanding of things before i put them in my code.

 

At the top of the form page (before any output), you must have this PHP code:

<?php
session_start();
$_SESSION['var'] = "your-form";
?>

This type of session does not save data as a cookie, and is not a "persistent session". The session will automatically end when the user's browser is closed. By 'end', I mean the browser will not remember the session id any more.

 

In the form processing script, put this at the very beginning:

<?php
if (!isset($_SESSION['var'])) {die("You didn't use my form!");}
?>

 

Links: http://pksml.net/search/php+sessions+tutorial

[nevesgodnroc]

Thank you,

 

I'm happy that you took time to anser my question.

You must be very dedicted to this forum if you are ansering replies on Thanksgiving

[pkSML]

Thank you,

 

I'm happy that you took time to anser my question.

You must be very dedicted to this forum if you are ansering replies on Thanksgiving

 

Staying at home this year. Between cleaning house and helping with dinner, there's plenty of time for PHP fun!