Re: PHP Passing Variables Between Pages and Security
- From: Justin Koivisto <justin@xxxxxxxxx>
- Date: Fri, 10 Feb 2006 12:35:00 -0600
Gordon Burditt wrote:
Justin Koivisto wrote:
Gordon Burditt wrote:
It is possible, and I've done this sort of thing on a site where I
had legitimate access, to fetch the form from your site, (using,
e.g. CURL) find the HTML for formToken, pick up the value, and pass
it as a parameter in the next request (again using CURL). Along
the way I can add in any other variables I want and not run any
Javascript on the page. Granted, this *does* load the form
from your site. And I'd have to be logged in to do it, if
that is needed to get to the page.
I tried to do this before as well... Curl wouldn't hold the session id,
so when the post came through, there was no $_SESSION['token'] set to
compare against the $_POST['formToken']
Command-line CURL can and will save cookies (specifically the session
cookie) picked up from one request so you can use them in the next
request. I haven't tried using CURL from PHP, but I assume the
ability to do that is in there also, and the documentation seems
to support this. That should make the first request and the second
be in the same session.
Certainly, it's *possible* to do this, as a browser operated by a
human does it, and it doesn't require any abilities from the human
that are hard to automate (like reading CAPTCHAs).
What exactly are you trying to protect against here? You can protect
against stupid bots that just have the formula for what to submit
for your form, and just keep re-using it. Malicious humans operating
manually are going to be able to get around it easily.
What am I protecting? Well, this is only a first line of defense for me.
From there, I compare vars that were submitted with ones that I expectas well as filtering or validating the data for those vars. At first, it
was used prevent those darn spam bots from submitting all my forms and
sending me email without hindering an actual user. Again, this was/is
used in combination of other defense mechanisms as well.
--
Justin Koivisto, ZCE - justin@xxxxxxxxx
http://koivi.com
.
- Follow-Ups:
- Re: PHP Passing Variables Between Pages and Security
- From: Gordon Burditt
- Re: PHP Passing Variables Between Pages and Security
- References:
- PHP Passing Variables Between Pages and Security
- From: Skeets
- Re: PHP Passing Variables Between Pages and Security
- From: Justin Koivisto
- Re: PHP Passing Variables Between Pages and Security
- From: Gordon Burditt
- Re: PHP Passing Variables Between Pages and Security
- From: Justin Koivisto
- Re: PHP Passing Variables Between Pages and Security
- From: Gordon Burditt
- PHP Passing Variables Between Pages and Security
- Prev by Date: Re: PHP Passing Variables Between Pages and Security
- Next by Date: PHP5 SOAP Attributes (Redux)
- Previous by thread: Re: PHP Passing Variables Between Pages and Security
- Next by thread: Re: PHP Passing Variables Between Pages and Security
- Index(es):
Relevant Pages
|
