Reputation: 23
Securing user input through forms PHP
I am making my own social media network for a project at college. One hurdle I have come across is secure forms.
I am making an option for one user to send a friend request to another user, which I can code. But that tricky part is making it secure. If I were to just use xxxxxx/profile.php?id=2&action=sendfr then people could be sent that link and made to send them a friend request.
If I sent action=sendfr as POST data then a spoofer could make a form on a website to do the same.
One method I am considering is sending some sort of AuthKey in POST data that is sent to the client for these purposes.
Could anyone please recommend the best option for making user actions secure?
Upvotes: 0
Views: 62
Answers (1)
Reputation: 1695
What you are trying to avoid is a Cross-site request forgery. There several ways to avoid them but the most popular is to generate a random token in the server and send it with every page that can make changes in persistent data. Then when the user sends a request back it must include the token so the server can verify that the tokens match. In this case the tokens must be random and different in every request. You would find more details and techniques in the OWASP page linked above.
Upvotes: 2
Related Questions
- How do I secure PHP forms?
- Protect HTML form from Javascript/Attacks
- Custom user HTML input safety
- Basic form security
- How to secure my html+PHP forms to prevent user hacking/changes
- Input secure by PHP
- PHP, HTML, CSS, Javascript Form Security
- Form Security & PHP?
- How to plan a "secure" HTML FORM
- PHP secure form