Re: Form Security
- From: Scott <nospam@xxxxxxxxxx>
- Date: Thu, 09 Mar 2006 18:58:59 -0500
Thanks for the feedback guys. I know not to rely on HTTP_REFERER. I think the plan is to use a combination of the method I described earlier, along with filtering the input with regular expressions to ensure I'm only getting valid data.
This is for a contact form, so if you can think of any more obvious holes I need to watch for, let me know.
Thanks again!
Scott
Scott wrote:
I've been trying to come up with a way to ensure user input is coming from the form on my site, and not auto-submitted from elsewhere, and I don't want to use the "enter the code shown in the image" method. I know the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of doing something similar to this:.
<?php
session_start();
$code = mt_rand(0,1000000);
$_SESSION['code'] = $code;
?>
Then in my form have:
<input type="hidden" name="originator" value="<?=$code?>">
On the page receiving the form:
<?php
session_start();
if(isset($_POST['originator'])) {
if($_POST['originator'] == $_SESSION['code']) {
// process the form
}
}
?>
I'm looking for feedback on this method. Do you think this is an effective way to ensure the input you're receiving is indeed from your form? Obviously, the random code key will be visible to the client, but without the matching session variable, it will be useless.
Your thoughts?
Scott
- References:
- Form Security
- From: Scott
- Form Security
- Prev by Date: calendar program (help)
- Next by Date: Re: Form Security
- Previous by thread: Re: Form Security
- Next by thread: cURL -> GreaseMonkey
- Index(es):
Relevant Pages
|
