CODEWITHSUNDEEP
phpmysql
rajkumar
rajkumar

Reputation: 365

How to protect my php code from auto executing when loading the page

I want to protect my action page so that whenever user or hacker directly hits www.something.com/process.php That should not have any effect .Please help me securing the process.php page when user directly hits from browser address bar .

I have following code in index.html

<form method="post" action="process.php">
    Name:<input type="text" name="txtname"><br/>
    Age :<input type="text" name="age"><br/>
    <input type="submit" value="submit">
</form>

I have following in process.php

<?php
//connection code to connect and use database...

$name=mysql_real_escape_string($_POST['txtname']);
$age=mysql_real_escape_string($_POST['age']);

$sql="insert into table values('$name','$age')";
$result=mysql_query($sql);

?>

Upvotes: 0

Views: 90

Answers (6)

Shaer
Shaer

Reputation: 36

What about making sure that the user opened index.html first before navigating to process.php?

You have two options:

From the process.php make sure that the $_SERVER['HTTP_REFERER'] value matches your index.html page

if($_SERVER['HTTP_REFERER'] == "http://localhost/index.html"){
    //do your work here
}

Another solution, you can for example create a random variable in a hidden input in the index.html, store it in the session, then in the process.php page you can check if the variable that you stored in the session matches the variable sent by the form.

this is some basic ways to secure your applications from an attack called CSRF you can read more about it here:

https://en.wikipedia.org/wiki/Cross-site_request_forgery

http://www.gnucitizen.org/blog/csrf-demystified/

preventing csrf in php

Upvotes: 1

Narayan Bhandari
Narayan Bhandari

Reputation: 426

one way would be checking if the form is submitted and binding all the actions inside it as following

    <?php
if(isset($_POST['txtname']))
{
    //connection code to connect and use database...

    $name=mysql_real_escape_string($_POST['txtname']);
    $age=mysql_real_escape_string($_POST['age']);

    $sql="insert into table values('$name','$age')";
    $result=mysql_query($sql);
}
else 
{
// form not submitted


 }

        ?>

extra security can be added by binding whole inside another condition if the user has logged in or not as following 

<?php
if(checkUserLogin())
{
    if(isset($_POST['txtname']))
    {
        //connection code to connect and use database...

        $name=mysql_real_escape_string($_POST['txtname']);
        $age=mysql_real_escape_string($_POST['age']);

        $sql="insert into table values('$name','$age')";
        $result=mysql_query($sql);
    }
    else 
    {
    // form not submitted


     }
}
else
{
// user has not logged in yet. redirect to login-page using header("location:....");

}
?>

where checkUserLogin() can be a function to check user logged in details for example

function checkUserLogin()
{
    $return= false;
    if($_SESSION['userloggedin']==1)
    {
        $return=true;
    }
    return $return;
}

Upvotes: 0

TRiG
TRiG

Reputation: 10643

$name=mysql_real_escape_string($_POST['txtname']);
$age=mysql_real_escape_string($_POST['age']);

What happens is this is not a POST request? Or if it is a POST request, but those two fields are not present? This code is broken. Now, your configuration may ignore that error and treat $_POST['age'] as a blank when it is not set, but that’s not something you should be relying on.

class Request {
    public static function value($arr, $field, $default=null) {
        return isset($arr[$field]) ? $arr[$field] : $default;
    }
    public static function get($field, $default=null) {
        return self::value($_GET, $field, $default);
    }
    public static function post($field, $default=null) {
        return self::value($_POST, $field, $default);
    }
}

That should exist as a useful class you can call when you want it. And then, in this file, you can have

$name = mysql_real_escape_string(Request::post('txtname'));
$age  = mysql_real_escape_string(Request::post('age'));

if ($name && $age) {
    // Do database stuff here.
}

For a quicker solution, you could just stick

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    exit;
}

at the top of the file.

Incidentally, the mysql_* family of functions have been removed from the latest versions of PHP. You should migrate to the mysqli_* family or to PDO if you want your code to continue to work when you upgrade your PHP installation.

Upvotes: 0

Hearner
Hearner

Reputation: 2729

You should try something like that 

<form method="post" action="process.php">
    Name:<input type="text" name="txtname"><br/>
    Age :<input type="text" name="age"><br/>
    <input type="submit" value="submit" **name="ButtonName"**>
</form>

Add a name of your button. Then change your process.php file to something like this :

<?php
if (!isset($_POST['ButtonName'])) // If the submit button hadn't been hit
{
// Kick the user off the page
echo "<script typer=\"text/javascript\">window.location='index.html';</script>"
}
else
{
//connection code to connect and use database...

$name=mysql_real_escape_string($_POST['txtname']);
$age=mysql_real_escape_string($_POST['age']);

$sql="insert into table values('$name','$age')";
$result=mysql_query($sql);
}
?>

Now if you try to enter into process.php without submitting the form, you will automaticaly be "kicked"

Upvotes: 0

Bogdan Burym
Bogdan Burym

Reputation: 5512

Add the following line to the top of process.php

if (empty($_POST)) {
    header('HTTP/1.0 403 Forbidden');
    die('Restricted');
}

Upvotes: 2

Moutasem Shahin
Moutasem Shahin

Reputation: 242

check on the data you sent first like the and make your code ad the followings

<?php
//connection code to connect and use database...

$name=mysql_real_escape_string($_POST['txtname']);
$age=mysql_real_escape_string($_POST['age']);

if((isset($name) && $name != '') || (isset($age) && $age != '')){
   $sql="insert into table values('$name','$age')";
   $result=mysql_query($sql);
}

?>

Upvotes: -1

Related Questions