September 21, 2012

PHP backend / frontend security

Question by William Yang

Hello all,

While taking my time in the bath I though of something interesting. In PHP, how do you tell if the users’ forms submitted is valid and not fraud (i.e. some other form on some other site with action=”http://mysite.com/sendData.php”)? Because really, anyone can create a form that will try send and match $_POST variables in the real backend. How can I make sure that that script is legit (from my site and only my site) so I don’t have some sort of cloning-site data-steal thing going on?

I have some ideas but not sure where to start

  • Generate a one-time key and store in hidden input field
  • Attempt (however possible) to grab the url on which the form is located (probably not possible)
  • Using some really complicated PHP goodies to determine where the data is sent (possible)

Any ideas? Thanks all!

Answer by Nathan Sire

Most of these attempts from hackers will be used by curl. It’s easy to change the referring agent with curl. You can even set cookies with curl. But spoofing md5 hashed keys with a private salt and storing it in session data will stop most average hackers and bots. Keeping the keys stored in a database will add authentication.

Answer by Starx

There are few simple ways like:

  • Checking $_SERVER['HTTP_REFERER'] to ensure your host was the referring script
  • Adding hashing keys in the forms and checking them with the server session variable stored.

But all the above can be manipulated and spoofed in some way. So, you can use CSRF Validations. Here is a very good article on this.

Other additional techniques I have encountered are:

  • Adding time limits to forms and ensure they are submitted with in that time.
  • On every interaction with the form, send AJAX request to validate and reactive the form’s timelimit.
...

Please fill the form - I will response as fast as I can!