php form security question
This is a discussion on php form security question within the alt.comp.lang.php forums, part of the PHP Programming Forums category; Hi, I have a problem. In my php script I have a form and when the user clicks the submit ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-24-2005
|
|||
|
|||
php form security question
Hi,
I have a problem. In my php script I have a form and when the user clicks the submit button it call the script 'lookup.php'. In my lookup.php script I do a check if $_POST is empty I will not process the lookup.php script and redirect to the home page. The problem is this : I can make a html page with a form on my local machine and when submit is pressed I execute the action 'http://www.mysite.com/lookup.php'. The $_POST variable is not empty so the script is processed. I think this is a security issue because you can make a script which call the lookup.php script on the server each time with different values for the form. Is there a way to check if the form was submitted from the main site i.e. http://www.mysite.com ? I want al other script not submitted from my website redirect to the home page. How to do it, and maybe someone has a good advice how to protect. What other security issues can you expect ? thanks a lot for your time to read my problem, and happy php-ing. John 
|
|
11-24-2005
|
|||
|
|||
|
Re: php form security question
Bruintje Beer said the following on 24/11/2005 19:06:
> Hi, > > I have a problem. In my php script I have a form and when the user clicks > the submit button it call the script 'lookup.php'. In my lookup.php script I > do a check if $_POST is empty I will not process the lookup.php script and > redirect to the home page. The problem is this : I can make a html page with > a form on my local machine and when submit is pressed I execute the action > 'http://www.mysite.com/lookup.php'. The $_POST variable is not empty so the > script is processed. I think this is a security issue because you can make a > script which call the lookup.php script on the server each time with > different values for the form. > > Is there a way to check if the form was submitted from the main site i.e. > http://www.mysite.com ? There is no reliable way to do this. -- Oli
|
|
11-24-2005
|
|||
|
|||
|
Re: php form security question
Oli Filth wrote:
> Bruintje Beer said the following on 24/11/2005 19:06: > >> Hi, >> >> I have a problem. In my php script I have a form and when the user >> clicks the submit button it call the script 'lookup.php'. In my >> lookup.php script I do a check if $_POST is empty I will not process >> the lookup.php script and redirect to the home page. The problem is >> this : I can make a html page with a form on my local machine and when >> submit is pressed I execute the action >> 'http://www.mysite.com/lookup.php'. The $_POST variable is not empty >> so the script is processed. I think this is a security issue because >> you can make a script which call the lookup.php script on the server >> each time with different values for the form. >> >> Is there a way to check if the form was submitted from the main site >> i.e. http://www.mysite.com ? > > > There is no reliable way to do this. There was a few lines in php.net somewhere in the functions list where people expanded on how to use the particular function but can I bloody find it now that I'm looking for it ? Richard. -- We trade our health in search of wealth, We scrimp and toil and save; We trade our wealth in search of health, But only find the grave.
|
|
11-24-2005
|
|||
|
|||
|
Re: php form security question
>> Hi,
>> >> I have a problem. In my php script I have a form and when the user clicks >> the submit button it call the script 'lookup.php'. In my lookup.php script I >> do a check if $_POST is empty I will not process the lookup.php script and >> redirect to the home page. The problem is this : I can make a html page with >> a form on my local machine and when submit is pressed I execute the action >> 'http://www.mysite.com/lookup.php'. The $_POST variable is not empty so the >> script is processed. I think this is a security issue because you can make a >> script which call the lookup.php script on the server each time with >> different values for the form. >> >> Is there a way to check if the form was submitted from the main site i.e. >> http://www.mysite.com ? >> >There is no reliable way to do this. Sure there is. At the top of the form, generate some random value (md5(microtime()) should be fine) and put it in a session variable. Also include that value as a hidden form field. When you process the form on lookup.php, compare the value from the form submission with the one in the session. If they're the same, you know they came from that page. If not or that variable doesn't exist in $_POST, you know the request came from somewhere else. Once you've done what you need to do on lookup.php, you can clear the session variable for next time.
|
|
11-24-2005
|
|||
|
|||
|
Re: php form security question
ZeldorBlat said the following on 24/11/2005 20:57:
>>>Hi, >>> >>>I have a problem. In my php script I have a form and when the user clicks >>>the submit button it call the script 'lookup.php'. In my lookup.php script I >>>do a check if $_POST is empty I will not process the lookup.php script and >>>redirect to the home page. The problem is this : I can make a html page with >>>a form on my local machine and when submit is pressed I execute the action >>>'http://www.mysite.com/lookup.php'. The $_POST variable is not empty so the >>>script is processed. I think this is a security issue because you can make a >>>script which call the lookup.php script on the server each time with >>>different values for the form. >>> >>>Is there a way to check if the form was submitted from the main site i.e. >>>http://www.mysite.com ? >>> >> >>There is no reliable way to do this. > > > Sure there is. At the top of the form, generate some random value > (md5(microtime()) should be fine) and put it in a session variable. > Also include that value as a hidden form field. > > When you process the form on lookup.php, compare the value from the > form submission with the one in the session. If they're the same, you > know they came from that page. If not or that variable doesn't exist > in $_POST, you know the request came from somewhere else. Once you've > done what you need to do on lookup.php, you can clear the session > variable for next time. > That doesn't stop someone from faking it. All they have to do is load your page, copy the hidden form value, and insert into their fake form before submitting it. Makes it tricker for them, undoubtedly, but hardly fool-proof. -- Oli
|
|
11-25-2005
|
|||
|
|||
|
Re: php form security question
"Oli Filth" <catch@olifilth.co.uk> schreef in bericht news:R%qhf.2810$uR.2703@newsfe7-gui.ntli.net... > ZeldorBlat said the following on 24/11/2005 20:57: >>>>Hi, >>>> >>>>I have a problem. In my php script I have a form and when the user >>>>clicks >>>>the submit button it call the script 'lookup.php'. In my lookup.php >>>>script I >>>>do a check if $_POST is empty I will not process the lookup.php script >>>>and >>>>redirect to the home page. The problem is this : I can make a html page >>>>with >>>>a form on my local machine and when submit is pressed I execute the >>>>action >>>>'http://www.mysite.com/lookup.php'. The $_POST variable is not empty so >>>>the >>>>script is processed. I think this is a security issue because you can >>>>make a >>>>script which call the lookup.php script on the server each time with >>>>different values for the form. >>>> >>>>Is there a way to check if the form was submitted from the main site >>>>i.e. >>>>http://www.mysite.com ? >>>> >>> >>>There is no reliable way to do this. >> >> >> Sure there is. At the top of the form, generate some random value >> (md5(microtime()) should be fine) and put it in a session variable. >> Also include that value as a hidden form field. >> >> When you process the form on lookup.php, compare the value from the >> form submission with the one in the session. If they're the same, you >> know they came from that page. If not or that variable doesn't exist >> in $_POST, you know the request came from somewhere else. Once you've >> done what you need to do on lookup.php, you can clear the session >> variable for next time. >> > > That doesn't stop someone from faking it. All they have to do is load your > page, copy the hidden form value, and insert into their fake form before > submitting it. > > Makes it tricker for them, undoubtedly, but hardly fool-proof. > > -- > Oli any suggestions John
|
|
11-25-2005
|
|||
|
|||
|
Re: php form security question
Bruintje Beer wrote:
> any suggestions Expansion on the first: 1. Make 2 (md5(microtime()) (sort of like username/password 2. Put them in a session and a db on the referrer-site. 3. Make a page on the referrer site that acts like a sort of login and make it echo a short text. 4. Read the remote page in your lookup script with sortofcheck.php?md51=session_md5_1&md52=session_md 5_2, get the text. 5. Check wether the text is OK. 6. Proceed when OK, refer to other page when value is not OK. 7. Clean up the db on the referrer-site regularly, depending on the amount of traffic. Still not ideal, but works. Grtz, Rik
|
|
11-25-2005
|
|||
|
|||
|
Re: php form security question
> I think this is a security issue because you can make a
> script which call the lookup.php script on the server each time with > different values for the form. Yes - your assumptions about HTTP and subsequent code has created a security issue for your application. There is no wider issue - HTTP is a stateless protocol. Rik's suggestion: > 1. Make 2 (md5(microtime()) (sort of like username/password > 2. Put them in a session and a db on the referrer-site. offers no advantage over using a session properly. In this scenario, the authentication process is that the user must have visited the main page before a post to lookup.php is processed. All you have to do is record this state in the session. Using md5 and microtime and other crypto stuff just adds fluff. Here's some code: index.php: $_SESSION['index_visited']=1; lookup.php: if (!$_SESSION['index_visited']) { header("location: $redirect"); // NB you should probably check the HTTP protocol // level and do a 302/303/307 as appropriate - IIRC header("Location...) always returns a 302 } C.
|
|
11-27-2005
|
|||
|
|||
|
Re: php form security question
"C." <colin.mckinnon@gmail.com> schreef in bericht news:1132922910.710523.64410@o13g2000cwo.googlegro ups.com... >> I think this is a security issue because you can make a >> script which call the lookup.php script on the server each time with >> different values for the form. > > Yes - your assumptions about HTTP and subsequent code has created a > security issue for your application. There is no wider issue - HTTP is > a stateless protocol. > > Rik's suggestion: >> 1. Make 2 (md5(microtime()) (sort of like username/password >> 2. Put them in a session and a db on the referrer-site. > > offers no advantage over using a session properly. In this scenario, > the authentication process is that the user must have visited the main > page before a post to lookup.php is processed. All you have to do is > record this state in the session. Using md5 and microtime and other > crypto stuff just adds fluff. > > Here's some code: > > index.php: > $_SESSION['index_visited']=1; > > lookup.php: > if (!$_SESSION['index_visited']) { > header("location: $redirect"); // NB you should probably check > the HTTP protocol > // level and do a 302/303/307 as appropriate - IIRC > header("Location...) always returns a 302 > } > > C. > Then again if the person will not go to the lookup page directly but visit some other pages first the session index is set. Then if the person goes to the lookup page (through an other page) the lookup.php is processed because the session index is set some where in the session. This means if you want this to work you have to unset the session index in all other pages. or do I miss something? Rob
|
|
11-27-2005
|
|||
|
|||
|
Re: php form security question
"Rob" <reply_@news_group.please> schreef in bericht news:e85a4$43897adf$3ec20fe0$6928@news.chello.nl.. . > > "C." <colin.mckinnon@gmail.com> schreef in bericht > news:1132922910.710523.64410@o13g2000cwo.googlegro ups.com... >>> I think this is a security issue because you can make a >>> script which call the lookup.php script on the server each time with >>> different values for the form. >> >> Yes - your assumptions about HTTP and subsequent code has created a >> security issue for your application. There is no wider issue - HTTP is >> a stateless protocol. >> >> Rik's suggestion: >>> 1. Make 2 (md5(microtime()) (sort of like username/password >>> 2. Put them in a session and a db on the referrer-site. >> >> offers no advantage over using a session properly. In this scenario, >> the authentication process is that the user must have visited the main >> page before a post to lookup.php is processed. All you have to do is >> record this state in the session. Using md5 and microtime and other >> crypto stuff just adds fluff. >> >> Here's some code: >> >> index.php: >> $_SESSION['index_visited']=1; >> >> lookup.php: >> if (!$_SESSION['index_visited']) { >> header("location: $redirect"); // NB you should probably check >> the HTTP protocol >> // level and do a 302/303/307 as appropriate - IIRC >> header("Location...) always returns a 302 >> } >> >> C. >> > > Then again if the person will not go to the lookup page directly but visit > some other pages first the session index is set. Then if the person goes > to the lookup page (through an other page) the lookup.php is processed > because the session index is set some where in the session. This means if > you want this to work you have to unset the session index in all other > pages. > > or do I miss something? > > Rob > Rob, I think you'r right. John
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:24 PM.
