Re: Form Security
- From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
- Date: Thu, 09 Mar 2006 22:33:10 -0500
Chung Leong wrote:
Scott wrote:
I've been trying to come up with a way to ensure user input is coming
from the form on my site, and not auto-submitted from elsewhere, and I
don't want to use the "enter the code shown in the image" method. I know
the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
doing something similar to this:
<?php
session_start();
$code = mt_rand(0,1000000);
$_SESSION['code'] = $code;
?>
Then in my form have:
<input type="hidden" name="originator" value="<?=$code?>">
On the page receiving the form:
<?php
session_start();
if(isset($_POST['originator'])) {
if($_POST['originator'] == $_SESSION['code']) {
// process the form
}
}
?>
I'm looking for feedback on this method. Do you think this is an
effective way to ensure the input you're receiving is indeed from your
form? Obviously, the random code key will be visible to the client, but
without the matching session variable, it will be useless.
Your thoughts?
Scott
Yes, that's precisely what you want to do. The function uniqid() can
also be used to generate the random key.
A check on HTTP_REFERER is actually sufficient too, since ordinary
users aren't going to be spoofing the Referer headers.
In addition to what Justin said - if someone DOES want to spoof your site, they will set HTTP_REFERER to your site. That check is worthless.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.
- Follow-Ups:
- Re: Form Security
- From: Chung Leong
- Re: Form Security
- References:
- Form Security
- From: Scott
- Re: Form Security
- From: Chung Leong
- Form Security
- Prev by Date: Re: pqsql fieldnames
- Next by Date: Re: HTTP POST problem
- Previous by thread: Re: Form Security
- Next by thread: Re: Form Security
- Index(es):
Relevant Pages
|
