SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Zealot
    Join Date
    Oct 2004
    Location
    world
    Posts
    128
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thumbs up how to make more secure form script

    Hi,

    I wrote a form ie. register.html. it call reg.php

    <form method="POST" action="reg.php">

    Now I want the reg.php only to accept input from register.html .
    Is it possible ?
    Hope it is clear

  2. #2
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Location
    Toronto
    Posts
    58
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi there,

    take a look at
    http://phpsec.org/projects/guide/2.html

    The idea would be to create a unique $token in register.html. Set it as a session variable, and also as a hidden form input. In reg.php, you could check

    PHP Code:
    if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) 

    Hope that helps

  3. #3
    SitePoint Evangelist ClickHeRe's Avatar
    Join Date
    Mar 2005
    Location
    Ottawa, Canada
    Posts
    580
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    check the referrer in $_SERVER as a first check but that can be spoofed.

    The best way to add security in your forms is to generate a unique token for the form which can only be used once. You save the token in the user's session vars when he loads the form page and you put it in the form as part of a hidden field. When the user submits the form, you check the tokens, if they don't match then you reject the submit. You are then sure that the form was loaded from your website and that it's not an imitation someone uses to try to break your site. This won't prevent bots from loading your page and then trying to post stuff through the form as a regular user though, but other techniques exist to help counter that like Captchas, and other stuff.

    The last technique is the same as the referrer one except you are guaranteed to get a token since you generate it. You can't count count on people having their referrer enabled in their browser all the time for valid or invalid reasons. But if you generate the token yourself, you will always have a "referrer" to assess the form was loaded from your server and sent to your server.
    David


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •