Reputation: 417
What is the best solution to form spoofing?
What is the best solution to "form spoofing" besides filtering the inputs?
I understand the followings:
Referrer can be spoofed
Telnet can be used to fool the server
Client side filtering can be bypassed
i understand that i should avoid GET
I can use Captcha
How can i prevent somebody to post to my form processing scripts from anywhere?
Upvotes: 0
Views: 203
Answers (6)
Reputation: 4730
Set a hidden input on the form that's equal to the md5 value of a string made up of the session id + a secret "salt" string value. Then, when you process the form, you can get the session id, add the secret value, and compare the mp5 out of that to the value that was passed with the form.
Upvotes: 0
Reputation: 191779
The real question is why do you want to prevent people from being able to post to your webpage from anywhere? Your webpage should be prepared to accept any input no matter where it comes from. There are measures you can take to reduce automatic posting such as tokens, but there is no way you can prevent it completely.
Instead of trying to prevent it, though, I would welcome it. Advertise your cross-site post API and profit.
Postel's law:
TCP implementations should follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.
Upvotes: 0
Reputation: 39304
I don't know what the best solution is necessarily, but you can use a session variable on the script that should have generated the form and check it in the script that the form POSTs to. You can md5 the variable contents and make it something somewhat random for increased security as well.
Upvotes: 0
Reputation: 116140
If someone can manually post a form, they can do it automatically too. There's no way to stop that besides moderation. You can make it harder by using captcha's. But personally I hate captcha's, because they are just a solution made up by lazy moderators to make the users solve their problems.
Upvotes: 2
Reputation: 47776
Not much really. Every client-side check can be spoofed or bypassed. Some authentication method is best, either using HTTP Auth or a simple system you coded yourself with sessions.
Upvotes: 0
Reputation: 190976
Here is a way to use tokens.
http://shiflett.org/articles/cross-site-request-forgeries
Upvotes: 1
Related Questions
- Prevent spam form
- How do I secure PHP forms?
- Stop Spoofed Form Submissions
- Protecting a form from being manipulated
- Prevent spam from my form
- PHP form spoofing and validation
- Form spoofing and methods to solve it
- How do I keep users from spoofing data through a form?
- Preventing fake forms from sending data to server
- How to prevent HTTP Spoofing?