|
Posted by Justin Koivisto on 03/10/06 00:07
Scott wrote:
> I've been trying to come up with a way to ensure user input is coming
> from the form on my site, and not auto-submitted from elsewhere, and I
> don't want to use the "enter the code shown in the image" method. I know
Even using a captcha (enter code shown in image) you can not be 100%
certain that the form posted was from your site...
> the $_SERVER['HTTP_REFERER'] contents can be spoofed, so I thought of
> doing something similar to this:
<snip>
> I'm looking for feedback on this method. Do you think this is an
> effective way to ensure the input you're receiving is indeed from your
> form? Obviously, the random code key will be visible to the client, but
> without the matching session variable, it will be useless.
Great for protecting against CSRF, but you can still "submit" the form
without opening your site up in a browser.
The session/token can be gotten around with things like curl. This is
the same method that Chris Shiflett outlined in his Essential PHP
Security book (phpsecurity.org) in Chapter 2.
By all means, use this method, but don't forget that you also need to
check that all the fields you expect are there, that you don't use any
fields that shouldn't be there, and that you filter all input and escape
all output.
[Back to original message]
|