|
|
Posted by Justin Koivisto on 11/17/01 11:39
Gordon Burditt wrote:
>>OK, instead of linking to the threads from before, here is an example
>>again for protecting against spoofed form submissions:
>>
>><?php
>>session_start();
>>$_SESSION['token']=md5('secret string'.time());
>>?>
>><form method="post" action="process.php">
>><input type="hidden" name="formToken" value="<?php echo
>>$_SESSION['token'] ?>" />
>>....
>></form>
>>
>>In the process.php:
>><?php
>>session_start();
>>if( isset($_POST['formToken'])
>> && isset($_SESSION['token'])
>> && $_POST['formToken']==$_SESSION['token']
>> ){
>> // form submission legit
>>}else{
>> // spoofed form submit
>>}
>>?>
>>
>>This allows you to be confident that the form was submitted from your
>>site.
>
> Ok, define "submitted from your site".
>
> It is possible, and I've done this sort of thing on a site where I
> had legitimate access, to fetch the form from your site, (using,
> e.g. CURL) find the HTML for formToken, pick up the value, and pass
> it as a parameter in the next request (again using CURL). Along
> the way I can add in any other variables I want and not run any
> Javascript on the page. Granted, this *does* load the form
> from your site. And I'd have to be logged in to do it, if
> that is needed to get to the page.
I tried to do this before as well... Curl wouldn't hold the session id,
so when the post came through, there was no $_SESSION['token'] set to
compare against the $_POST['formToken']
> Granted, it's not something your average spambot would do, but it
> can be done.
When I get in to the office, I'll set up a simple little form for
testing this out again. However, the first tests I ran didn't work at
all. Maybe I'll post the URL of the test form for others to take a try
at. ;)
PS - I'm sure I've mentioned this before, but the method I have been
using comes from Chris Shiflett's "Essential PHP Secuirty," and I see
that the chapter where this is introduced is available for download from
the book's companion site: http://phpsecurity.org (chapter 2)
Navigation:
[Reply to this message]
|