Posted by Justin Koivisto on 10/20/63 11:39

Skeets wrote:
> i'm passing session and hidden variables between pages. not to mention
> post values.
>
> i'm a little concerned that someone with sufficient knowledge could
> spoof these vlaues and manipulate the program.
>
> is this a valid concern? i'm thinking i can check the submitting page
> setting up something around the following the following code...
>
> $base_name = basename($_SERVER['PHP_SELF']);
>
> is this a good bet? is there a better way?

OK, instead of linking to the threads from before, here is an example
again for protecting against spoofed form submissions:

<?php
session_start();
$_SESSION['token']=md5('secret string'.time());
?>
<form method="post" action="process.php">
<input type="hidden" name="formToken" value="<?php echo
$_SESSION['token'] ?>" />
.....
</form>

In the process.php:
<?php
session_start();
if( isset($_POST['formToken'])
&& isset($_SESSION['token'])
&& $_POST['formToken']==$_SESSION['token']
){
// form submission legit
}else{
// spoofed form submit
}
?>


This allows you to be confident that the form was submitted from your
site. Of course, when doing defense in depth (as you should be), you'll
also want to filter input and escape output...

Anyway, I have yet to find a way to be able to spoof around this,
including using javascript to attempt to read the token value from a
remote site.

As always: untested, YMMV

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

[Back to original message]