php & form submission control

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • bawdy
    Confirmed User
    • Feb 2002
    • 1424

    #1

    php & form submission control

    how can i make it so that a form will only be accepted if its been submitted from the domain that it is hosted on?

    could check refering url etc but was wondering if someone knows a more secure way
  • Lycanthrope
    Confirmed User
    • Jan 2004
    • 4517

    #2
    I've used this for forms:

    http://www.scriptarchive.com/formmail.html

    Comment

    • bawdy
      Confirmed User
      • Feb 2002
      • 1424

      #3
      Originally posted by Lycanthrope
      I've used this for forms:

      http://www.scriptarchive.com/formmail.html
      thanks im no perl wiz but looks like it checks referer strings to see if its submitted from an accepted domain

      Comment

      • init
        Confirmed User
        • Oct 2002
        • 973

        #4
        i believe reffer is the only other way other then htaccess
        icq: 2721653

        Comment

        • raymor
          Confirmed User
          • Oct 2002
          • 3745

          #5
          Well you could always have them type in the word.




          That's one of the things I just added to Strongbox.
          Were you using CGI instead of damn PHP you could use
          my library, which would plug right into your script.
          Matter of fact, now that I've been the one to actually
          give a decent answer to your question I guess I can go ahead and say:
          You're concerned about securing it and you're writing it in PHP?!?!?!? ROTFL!
          FOOMCLMDFHO!
          (Falling Out Of My Chair Laughing My Damn Fool Head Off).
          For historical display only. This information is not current:
          support@bettercgi.com ICQ 7208627
          Strongbox - The next generation in site security
          Throttlebox - The next generation in bandwidth control
          Clonebox - Backup and disaster recovery on steroids

          Comment

          • boyw_utr
            Confirmed User
            • Oct 2003
            • 310

            #6
            Originally posted by bawdy
            how can i make it so that a form will only be accepted if its been submitted from the domain that it is hosted on?

            could check refering url etc but was wondering if someone knows a more secure way

            You can only use the referring check like this:

            Check the refer var stored in:
            $HTTP_SERVER_VARS['HTTP_REFERER'];

            $findme = 'www.domain.com';


            $pos1 = stripos($HTTP_SERVER_VARS['HTTP_REFERER'], $findme);

            // Nope,
            if ($pos1 hahahaha= false) {
            echo "The string '$findme' was not found in the string '$HTTP_SERVER_VARS['HTTP_REFERER']'";
            }
            // Yes it there
            Else{
            echo "We found '$findme' in '$HTTP_SERVER_VARS['HTTP_REFERER']'";
            }

            replace the echo's after testing by or a new header or the add to db routine...


            Good Luck

            SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

            Comment

            • bawdy
              Confirmed User
              • Feb 2002
              • 1424

              #7
              thanks guys... my main concern with using the refer method is that it is not always passed and can be forged pretty easily

              Comment

              • disregard
                Confirmed User
                • May 2004
                • 118

                #8
                Here's an algorythm:

                When displaying the form:

                1. Generate a unique number and store it in a database table with a timestamp.

                2. Delete all unique numbers older than 2 hours.

                3. Hide the new unique number in the form.

                When processing the form:

                1. Check the unique number against the database. If it is not there, die();

                2. Check the refferer. If it is incorrect, die();

                3. Process the form.
                house o' fart

                Comment

                • boyw_utr
                  Confirmed User
                  • Oct 2003
                  • 310

                  #9
                  Originally posted by disregard
                  Here's an algorythm:

                  When displaying the form:

                  1. Generate a unique number and store it in a database table with a timestamp.

                  2. Delete all unique numbers older than 2 hours.

                  3. Hide the new unique number in the form.

                  When processing the form:

                  1. Check the unique number against the database. If it is not there, die();

                  2. Check the refferer. If it is incorrect, die();

                  3. Process the form.
                  Hey this is also a sollution....
                  But it brings me a even greater and easier idea...

                  Just start a session in the form and check the sessions id in the submit routine... if not there send them to the form on the server with a header....

                  SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

                  Comment

                  • bawdy
                    Confirmed User
                    • Feb 2002
                    • 1424

                    #10
                    Originally posted by boyw_utr
                    Hey this is also a sollution....
                    But it brings me a even greater and easier idea...

                    Just start a session in the form and check the sessions id in the submit routine... if not there send them to the form on the server with a header....

                    yeah this is more like what i was thinking

                    essentially im thinking of issuing the form a one-time licence... each time the form is issued a new licence is generated.... maybe not tied to the session id as this could be easily obtained

                    Comment

                    • boyw_utr
                      Confirmed User
                      • Oct 2003
                      • 310

                      #11
                      Originally posted by bawdy
                      yeah this is more like what i was thinking

                      essentially im thinking of issuing the form a one-time licence... each time the form is issued a new licence is generated.... maybe not tied to the session id as this could be easily obtained

                      What kind of license....

                      You could generate a unique number and store it like a session variable.. I don't think they can obtained that very easy....
                      SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

                      Comment

                      • kenny
                        Confirmed User
                        • Mar 2002
                        • 7245

                        #12
                        Cant you do like perl and just set the permissions?
                        7

                        Comment

                        • bawdy
                          Confirmed User
                          • Feb 2002
                          • 1424

                          #13
                          Originally posted by boyw_utr
                          What kind of license....

                          You could generate a unique number and store it like a session variable.. I don't think they can obtained that very easy....
                          yeah the licence would be stored in a session var.

                          i was thinking of encoding something like the time and a key value... still havent thought this bit out fully... but the licence would be unique for the time that it was generated... the key would never be transmitted.... when the form is submitted decrypt the licence.... not sure if all this is redudant though

                          Comment

                          • bawdy
                            Confirmed User
                            • Feb 2002
                            • 1424

                            #14
                            Originally posted by kenny
                            Cant you do like perl and just set the permissions?
                            not sure i understand what you mean ??

                            Comment

                            • kenny
                              Confirmed User
                              • Mar 2002
                              • 7245

                              #15
                              Originally posted by bawdy
                              not sure i understand what you mean ??
                              I am assuming you want to make your server so that it only accepts data submitted from your site.

                              For example you dont want somebody to copy the HTML of your form and modify it so they can exploit your script or what not.

                              I dont know exactly what you are doing but I prevent this simply by setting the permissions correctly for the script.


                              Prehaps I dont fully understand what you are trying to do..
                              7

                              Comment

                              • grumpy
                                Too lazy to set a custom title
                                • Jan 2002
                                • 9870

                                #16
                                use session_id . Works better.
                                Don't let greediness blur your vision | You gotta let some shit slide
                                icq - 441-456-888

                                Comment

                                • bawdy
                                  Confirmed User
                                  • Feb 2002
                                  • 1424

                                  #17
                                  Originally posted by kenny
                                  I am assuming you want to make your server so that it only accepts data submitted from your site.

                                  For example you dont want somebody to copy the HTML of your form and modify it so they can exploit your script or what not.

                                  I dont know exactly what you are doing but I prevent this simply by setting the permissions correctly for the script.


                                  Prehaps I dont fully understand what you are trying to do..
                                  yeah that is what i want to achieve.... i will look into your suggestion more... thanks

                                  Comment

                                  • kenny
                                    Confirmed User
                                    • Mar 2002
                                    • 7245

                                    #18
                                    Originally posted by bawdy
                                    yeah that is what i want to achieve.... i will look into your suggestion more... thanks
                                    I never used PHP so it may differ.

                                    http://www.perlfect.com/articles/chmod.shtml

                                    Prehaps this can help you
                                    7

                                    Comment

                                    Working...