$_HTTP["POST"] and $_SERVER["HTTP_REFERER"]

Hi,

Suppose you want to make sure subitted data is comming from "your" form and
not submitted (with tools) elsewhere.
What do I need to prevent false/hacked/spoofed data?

- register globals = off;
- use $_HTTP["POST"]
- check referrer with $_SERVER["HTTP_REFERER"]

are these settings 'air tight'? or (and how?) can it be overruled /
circumvented??

Regards,
Marco

Marco wrote:

> Suppose you want to make sure subitted data is comming from "your"
> form and not submitted (with tools) elsewhere.
> What do I need to prevent false/hacked/spoofed data?
>
> - register globals = off;
> - use $_HTTP["POST"]

$_HTTP["POST"] isn't a valid variable - you want $_POST["var_name_here"]

> - check referrer with $_SERVER["HTTP_REFERER"]

Unfortunately you cannot rely on $_SERVER["HTTP_REFERER"] as it can be
blocked/unset by browser settings and other 3rd party software such as
anti spy software, privacy software, ad blocking software etc. In some
cases this is set to be blank and in other cases the site's domain
name.

And if someone is trying to see if they can do stuff to your site/server
through a form post they'd quite easily be able to fake the referer
anyway and make it look like they were posting from your page.

> are these settings 'air tight'? or (and how?) can it be overruled /
> circumvented??

You could make the user enter the string value contained in a generated
image and the value of the image is stored in a hidden field using a
hashing algorithm like md5. When the form is submitted you compare the
hash of their string with the hidden field. There are downsides to this
as it can mean people are put off completing the form altogether and
there are accessibilty issues as well.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

Marco wrote:
> Hi,
>
> Suppose you want to make sure subitted data is comming from "your" form and
> not submitted (with tools) elsewhere.
> What do I need to prevent false/hacked/spoofed data?
>
> - register globals = off;
> - use $_HTTP["POST"]
> - check referrer with $_SERVER["HTTP_REFERER"]
>
> are these settings 'air tight'? or (and how?) can it be overruled /
> circumvented??

Anyone can make a request for your PHP page with falsified POST header
data, including falsified referer data, so there is no way of proving
where this data was really generated from. After all, the data doesn't
really come from "your form", it comes from the user's browser.

I guess the only way to avoid this is to use an HTTPS secure connection,
but I don't know anything about the ins and outs of this.

--
Oli

Oli Filth wrote:

> Marco wrote:
>> Hi,
>>
>> Suppose you want to make sure subitted data is comming from "your"
>> form and not submitted (with tools) elsewhere.
>> What do I need to prevent false/hacked/spoofed data?
>>
>> - register globals = off;
>> - use $_HTTP["POST"]
>> - check referrer with $_SERVER["HTTP_REFERER"]
>>
>> are these settings 'air tight'? or (and how?) can it be overruled /
>> circumvented??
>
> Anyone can make a request for your PHP page with falsified POST header
> data, including falsified referer data, so there is no way of proving
> where this data was really generated from. After all, the data doesn't
> really come from "your form", it comes from the user's browser.
>
> I guess the only way to avoid this is to use an HTTPS secure
> connection, but I don't know anything about the ins and outs of this.

You could still fake the data with an HTTPS connection.

--
Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/

Marco wrote:
> Hi,
>
> Suppose you want to make sure subitted data is comming from "your" form and
> not submitted (with tools) elsewhere.
> What do I need to prevent false/hacked/spoofed data?
>
> - register globals = off;
> - use $_HTTP["POST"]
> - check referrer with $_SERVER["HTTP_REFERER"]
>
> are these settings 'air tight'? or (and how?) can it be overruled /
> circumvented??
>

Why do you want to prevent falsified data? If you explain what you're
trying to do, we might be able to help further...

--
Oli

"Marco" <dont_send{spam}[mps]@this.address[webmind.nl].please.com> wrote
in news:4202727f$0$26225$18b6e80@news.wanadoo.nl:

> Hi,
>
> Suppose you want to make sure subitted data is comming from "your"
> form and not submitted (with tools) elsewhere.
> What do I need to prevent false/hacked/spoofed data?

Proper validation of the existance of, and values of,
variables that come from Get, Post, or Cookies.

In other words, spend your time make your validation
'bulletproof', rather than worrying about whether or
not someone may use "tools" to spoof a 'normal browser'.

--
Dave Patton
Canadian Coordinator, Degree Confluence Project
http://www.confluence.org/
My website: http://members.shaw.ca/davepatton/

Thanks all for your time!! It helped me :-)


Marco


"Marco" <dont_send{spam}[mps]@this.address[webmind.nl].please.com> schreef
in bericht news:4202727f$0$26225$18b6e80@news.wanadoo.nl...
> Hi,
>
> Suppose you want to make sure subitted data is comming from "your" form
> and not submitted (with tools) elsewhere.
> What do I need to prevent false/hacked/spoofed data?
>
> - register globals = off;
> - use $_HTTP["POST"]
> - check referrer with $_SERVER["HTTP_REFERER"]
>
> are these settings 'air tight'? or (and how?) can it be overruled /
> circumvented??
>
> Regards,
> Marco
>

Marco wrote:
> Thanks all for your time!! It helped me :-)
>
>
> Marco
>
>
> "Marco" <dont_send{spam}[mps]@this.address[webmind.nl].please.com> schreef
> in bericht news:4202727f$0$26225$18b6e80@news.wanadoo.nl...
>
>>Hi,
>>
>>Suppose you want to make sure subitted data is comming from "your" form
>>and not submitted (with tools) elsewhere.
>>What do I need to prevent false/hacked/spoofed data?
>>
>>- register globals = off;
>>- use $_HTTP["POST"]
>>- check referrer with $_SERVER["HTTP_REFERER"]
>>
>>are these settings 'air tight'? or (and how?) can it be overruled /
>>circumvented??
>>
>>Regards,
>> Marco
>>
>
>
>
If someone is going to spoof a GET or POST request then you cannot trap
it. Essentially the problem boils down to the point at which data
validation is performed, this has to be server side of the transaction.
If a database is involved then, ideally the data constraints should be
in the database. The script should do validation but the database is
responsible for not allowing garbage onto its tables.

Always assume the worst case and code for it

Marco wrote:
> Thanks all for your time!! It helped me :-)
>
>
> Marco
>
>
> "Marco" <dont_send{spam}[mps]@this.address[webmind.nl].please.com> schreef
> in bericht news:4202727f$0$26225$18b6e80@news.wanadoo.nl...
>
>>Hi,
>>
>>Suppose you want to make sure subitted data is comming from "your" form
>>and not submitted (with tools) elsewhere.
>>What do I need to prevent false/hacked/spoofed data?
>>
>>- register globals = off;
>>- use $_HTTP["POST"]
>>- check referrer with $_SERVER["HTTP_REFERER"]
>>
>>are these settings 'air tight'? or (and how?) can it be overruled /
>>circumvented??
>>
>>Regards,
>> Marco
>>
>
>
>
If someone is going to spoof a GET or POST request then you cannot trap
it. Essentially the problem boils down to the point at which data
validation is performed, this has to be server side of the transaction.
If a database is involved then, ideally the data constraints should be
in the database. The script should do validation but the database is
responsible for not allowing garbage onto its tables.

Always assume the worst case and code for it

Marco wrote:
> Hi,
>
> Suppose you want to make sure subitted data is comming from "your" form and
> not submitted (with tools) elsewhere.
> What do I need to prevent false/hacked/spoofed data?
>
> - register globals = off;
> - use $_HTTP["POST"]
> - check referrer with $_SERVER["HTTP_REFERER"]
>
> are these settings 'air tight'? or (and how?) can it be overruled /
> circumvented??
>
> Regards,
> Marco
>
>
HTML forms are not entirely secure, you should check all input from
userland with functions such as the string functions in php.