SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Member
    Join Date
    May 2005
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help with securing my POSTING script?

    I have been working on a script that gets a score from a flash game and through php submits the info into a database. The trouble is I just relized is that the infomation can be easily aulted by making a simple html form pointing to my php script. I was looking around and found a piece of code that looked like this...
    Code:
    if ($_SERVER['HOST_NAME'] == $myservername)
    Now for some reason this bit of code when i wrap it around the script doesn't do anything. Any I deas on how to do this or perhaps a new way to submit the infomation?
    Last edited by dlngle; May 24, 2005 at 23:54.

  2. #2
    SitePoint Zealot
    Join Date
    Jan 2005
    Posts
    104
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Does not look like HOST_NAME is a predefined variable.

    http://us2.php.net/manual/en/reserve...riables.server

    You should be checking the referer to see if it is a script on your server.

    $_SERVER['HTTP_REFERER'] == $mydomain

  3. #3
    SitePoint Evangelist djdykes's Avatar
    Join Date
    Feb 2005
    Location
    Chester, Cheshire
    Posts
    565
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    make the script that does the submitting post back to itself.
    then you can check if

    $_SERVER['HTTP_REFERER'] == $_SERVER['PHP_SELF']

  4. #4
    get into it! bigduke's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    847
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HTTP_REFERER is browser dependent so you might want to look into a hash string security.
    i.e. when the user is on the form, you set a cookie/session var through php which contains a hash string, then the same hash string goes out with the form. On the receiving end you check the incoming hash from the form with that in the session var/cookie ... and then after all operations unset the hash string.

  5. #5
    SitePoint Member
    Join Date
    May 2005
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow!
    ok so let me get this straight instead of asking weather the host is right I'm asking weather the domain is correct?
    it should look something ike this..
    Code:
    if ($_SERVER['HTTP_REFERER'] == $dlngle.com or $_SERVER['PHP_SELF']) {
    continue script
    } 
    else {
    exit;
    }
    btw
    a quick layout..
    I have a database page in a folder called includes.
    outside that i have the flashgame embed on a php page that doesnot submit the score. When the action is sent the game calls on a script called highscores wich just has an include to a script that does everything. Is this wrong>?

  6. #6
    SitePoint Zealot
    Join Date
    Jan 2005
    Posts
    104
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Bidduke is right about HTTP_REFERER. If you want better security then you will have to set something on one page and then verify it on the next.

    I don't think there is anything wrong with what your are doing.

  7. #7
    SitePoint Member
    Join Date
    May 2005
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just tried it then And I think I worked out the problem.
    Viewing the highscores on the 1 page is difficult because When I put the code that i said above in it just brings up a blank screen.. Any Ideas?

    Another thing what does the HTTP_REFERER action do?

  8. #8
    SitePoint Zealot
    Join Date
    Jan 2005
    Posts
    104
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HTTP_REFERER is the url string of the page that linked to yours. So if a link to http://www.example.com was located on the page http://www.referer.com then the $_SERVER['HTTP_REFERER'] variable on http://www.example.com would be http://www.referer.com.

    Your script is probably not working because I don't think you understand that http_referer returns the entire url string not just the domain name. You will have to parse it for that part of the string.

  9. #9
    SitePoint Member
    Join Date
    May 2005
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    O I have been a member of this site less then an hour and already learnt alot :P
    I think I know what you mean about the full url.. e.g (http://www.dlngle.com/flashgame/test.php)
    so if I was to put $_SERVER['HTTP_REFERER'] == $_SERVER['PHP_SELF']
    it couldn't work because I echoed php_self and it only showed the subdiretories form the domain. On my home computer its difficult to test anything with my .com because i cant seem to get the windows/system32/drivers/ect/host file to work. So everything on my site is tested for local and remote use if I put www.dlngle.com anywhere on the page it will bring up errors and wont load it. But yea theres my life story


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •