CODEWITHSUNDEEP
php
proyb3
proyb3

Reputation: 1

php check form submit from url

How do I ensure that the attacker or spammer do not attempt to sent data from http://localhost computer? I am developing Flex/flash application which would then submit the data to PHP. I know they have the ability to decompile actionscript, would the HTTP_REFERER help?

Upvotes: 0

Views: 1332

Answers (5)

Your Common Sense
Your Common Sense

Reputation: 157919

the answer is simple - you cannot.
because every form actually being sent from user's local computer. that's HTML thing and you'd better understand that. will save you ton of time.

in general you don't need any protection at all. but for some particular cases protection tactics will be different

  • to prevent spam use a CAPTCHA
  • to prevent CSRF use unique token, stored both in the session and form's hidden field
  • add your own particular task here to get a particular protection method. from what attack you want to defend?

Upvotes: 0

bcosca
bcosca

Reputation: 17555

use CAPTCHA for verification. you can't tell if the source or referrer is the localhost or a public IP address when a form is submitted. the localhost you'll see is your own.

Upvotes: 0

Scott Saunders
Scott Saunders

Reputation: 30414

Not all browsers supply HTTP_REFERER and it can easily be spoofed, so it will not secure your form.

The best thing you can do, and really the only thing you can do, is to make sure that your PHP code does not trust any input. You should check that any values submitted to your form are within an acceptable range of values, double check login information if appropriate, etc.

If you're worried about bots, use recaptcha or limit the number of submissions for any IP address to 3 a minute (as an example - choose an appropriate speed for your situation).

In short: you can NEVER be certain where a form submission originated. You must be prepared to deal with submissions from attackers.

Upvotes: 1

Sarfraz
Sarfraz

Reputation: 382806

parse_url() combined with string manipulation should work. Try this:

$url = parse_url($_SERVER['HTTP_REFERER']);
$host = implode('.',array_slice(explode('.',$url['host']),-2));

if (strtolower($host) == 'google.com') {
// code......
}

Upvotes: 0

David Yell
David Yell

Reputation: 11855

You could use referrer, but even that could be spoofed. If it was me I would sha1() some random string or something in your flash and pass that with your form, then you could sha1() on the php side and check them.

Perhaps you could even make it something dynamic, like

sha1(date('Y-m-d')."MySaltPhrase");

Upvotes: 0

Related Questions