CODEWITHSUNDEEP
phpsecuritypost
Marciel Fonseca
Marciel Fonseca

Reputation: 381

How to protect form data on my site?

I have this page which posts data to another url. I tried using cURL but didn't work since I need the user to be redirected to the destination website and cURL was just bringing it into the current one. So what I'm doing is

<form action='http://destination.com' method='post' name='frm'>
 <input type='hidden' name='account_id' value='<?php echo $_SESSION["accont_id"]; ?>'>
</form>
<script>
 document.frm.submit();
</script>

But obviously this is totally insecure, and any user using a program like charles proxy can intercept and change this data. Is there a way to protect it? Validation won't do the job because the users are aware of the kind of data my database have, they know everyone's account id and I can't change that. What can I do? Maybe encryption will work? Even if the user is able to change the data it's ok as long as they can't change it to other valid account's id. I'm thinking in something like secret/hash but can't put all together in my mind.

I tried using this:

$url = 'http://www.destination.com'; 
$curl = curl_init(); 
curl_setopt($curl, CURLOPT_HTTPHEADER, $header); 
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); 
curl_setopt($curl, CURLOPT_AUTOREFERER, true); 
curl_setopt($curl, CURLOPT_URL, $url);  
curl_setopt($curl, CURLOPT_POST, 1);  
curl_setopt($curl, CURLOPT_POSTFIELDS, 'account_id='.$_SESSION["account_id"]);  
curl_exec($curl);
curl_close($curl); 
echo "<meta http-equiv='refresh' content='0;url=http://destination.com'/>";

But the page was redirected and no data arrived. The post wouldn't go through

Upvotes: 0

Views: 122

Answers (1)

arkascha
arkascha

Reputation: 42915

The bottom line of the discussion in the comments above results in this approach to what you actually try to do:

You make the cURL request to the remote system posting the user id, so server to server. The remote system creates some random token (random 32 char string) and returns that, it stores that token together with the posted user id for later reference. Now the local system sends a redirection header to the client which includes that token. That leads to the client making a request to the remote system claiming the token it was handed. The remote system checks for a stored token, can derive the user id from it, create a user session and delete the token.

Upvotes: 1

Related Questions