All geek questions in one place

Php How do you guarantee that the $ _POST data comes from your form, and not from the outside?

Is there a way to provide the $_POST data received by my code, retrieved from my form, and not by external influence. Basically, I don’t want anyone to be able to trick $_POST into a public page such as creating an account. The account creation page is accessible to any user, but I want only the processed data submitted by my account_creation form to be processed.

The only thing I could think of was to initiate $_SESSION and then provide session_id to the form using hidden input. With $ _POST, the value of the hidden input will then be mapped to the current session_id.

If there is a better way to achieve this result? If there is, then I look forward to it.

+6
source share
6 answers

You cannot guarantee that the data came from the form. A POST request is just a POST request, it can be generated in any number of ways. The HTML form is just one of those ways that are very user friendly. Your server needs to check whether the data received using the POST request is really valid or not, whether to act on it or not.

Having said that, there are things that can help you limit and confirm the data that is sent. First of all, it is necessary for the user to register when using cookies. This eliminates random requests from anonymous users. Secondly, you can embed a token in a hidden field in a form that you also save in a user session. A POST request must contain this token in order to be valid. A token is just a pseudo-random string.
You can improve this by preparing a hash of the form fields that you expect from the user. If the form value should be read-only, you can include this value in the hash. For instance:.

 $rand = md5(mt_rand()); $hash = sha1('lastname:firstname:email:' . $rand); $_SESSION['rand'] = $rand; $_SESSION['hash'] = $hash; // on form submit: $keys = array_keys($_POST); $checkHash = sha1(join(':', $keys) . ':' . $_SESSION['rand']); if ($checkHash != $_SESSION['hash']) { die('Form submission failed token validation'); }

This is just a quick example, you probably want to sort the keys alphabetically to make sure you get the same hash, etc. It demonstrates the concept of a user who needs to have a unique token for each request, although this prevents hardening with forms and providing more or less data than is required.

This still does not mean that the user actually used your form to submit data.

+7
source 
 $ref = $_SERVER['HTTP_REFERER']; if($ref !== 'some site path/index.php') { die("Access Denied!"); }

This should prevent most people from sending data to your database due to external influences.

+2
source

It’s a little better to add additional checking, for example user_agent, user_ip and some other $ _SERVER vars - these are the ones I use.

So, create a unique identifier (or session identifier) ​​as you described, but add a little extra validation, which the agent and ip also support. Not proof of a fool, but adds another small level of security.

Edit: I have to add that you are not sending a user agent; keep this side of the server and silently check the identifier of the returned session.

In addition, if the feed does not pass the test, never inform the user about why - so the cheater does not know how to track them. You can also add tracking "5 disabled and you are absent", but for this you need to choose a login.

+1
source

Using a session identifier is certainly one way to do it. But there are other options, in most cases (if not all), which include adding some data to a hidden field.

  • Use CAPCHA. This will always be unique for each page load and therefore requires the use of your form.
  • Create random data and save it in the database (or just the $_SESSION variable) and check it after submitting the form.

Option one is the one that I recommend for the user creation form, since it pulls a double fee. It stops the automatic submission of your own form, ensuring that $_POST data comes from your own form.

+1
source

This is the standard pattern for preventing XSRF. In essence, this is similar to what you were talking about. The server creates a random token when the form is displayed to the user. It is tied to the browser cookie for the user. When you submit the form, it is sent back to the server. Then, the server compares the token with what was issued, and the form action is performed only after a successful match.

0
source

There are many good references to putting a unique value on a form and matching it with a stored value in a server-side session. Do this, but also think about what happens when the user uses the back button and maybe tries to submit the form twice, or they open a second browser window (same session!) Or use several forms on your site.

Do not make crazy mistakes without thinking about your system.

0
source

Source: https://habr.com/ru/post/915351/

More articles:


All Articles