Protecting POST data in a web application

Question

Protecting POST data in a web application

I have a web application that has basic authentication - username, password, session, and more. However, I have a definite need to prevent users from substituting POST requests (even for registered users). In my application, I specifically check the user session before accepting POST data (also taking care of XSS, etc.).

how

if(user session exists)
{
    // handle the data POSTed
}

else {
   // ...
}

I store session identifiers in a database. Is there anything else I should know about to prevent false POST requests or is that enough?

+3

security web-applications http-post

philly77 Sep 13 '09 at 13:14

source share

8 answers

. , , .

+2

Eimantas 13 . '09 13:19

bobince · Answer 1 · 2009-09-13T15:12:36+0000

I specifically check the user session before taking POST

, ": , cookie, , , . cookie , POST () .

, , - XSRF, ( ), GET POST . . ( , HTTP-, .)

, (SQL, ) (HTML, JavaScript) , , : - , , , XSRF.

XSRF, , . , .

. , , . , PHP:

<form method="post" action="delete.php"><div>
    <input type="hidden" name="key" value="<?php echo(htmlspecialchars($user['key'])); ?>"/>
    <input type="submit" value="Delete" />
</div></form>

if ($_POST['key']!=$user['key'])
    // error

, /, .

- , . , , . , , , ( ).

Ned Batchelder · Answer 2 · 2009-09-13T13:22:52+0000

POST- Javascript , , POST . , POST. , .

, . . , .

bryanbcook · Answer 3 · 2009-09-13T13:48:14+0000

CAPTCHA .

REST, . - POST, .

, CAPTCHA .

erikkallen · Answer 4 · 2009-09-13T13:34:57+0000

, , . , , - , SHA1 , , . , .NET .

ZZ Coder · Answer 5 · 2009-09-13T13:41:37+0000

, - XSRF. .

.NET, AntiForgeryToken,

http://msdn.microsoft.com/en-us/library/dd492767.aspx

Cristi Cotovan · Answer 6 · 2009-09-13T13:46:40+0000

, , , , , mysql_real_escape_string ($ MyPostData).

, /, POST, , .

, , "" : , , , , .

DmitryK · Answer 7 · 2009-09-13T13:52:34+0000

( , ), (, , - , ), /guid, , , cookie. , , , GUID , . XSRF.

Protecting POST data in a web application

More articles: