[RESOLVED] Protecting from Malicious Posts

**Ultima Designs** · 03-13-2006, 06:02 PM

Hey guys,

I mentioned in here one or two times that we are working on a big project at the moment. We are trying to think of security concerns, and one of them that we have come up with is this: we don't want people to be able to recreate our forms on another website and then post the data to our website. This way, we can hopefully prevent people from registering spam accounts, for example.

Is there any way to prevent this from happening? Maybe some way to check the referring page, and if it isn't from our domain name but has data being posted, to redirect them to a failure page or something? The website is done with PHP.

**yasunobu13** · 03-13-2006, 06:07 PM

$_SERVER['HTTP_REFERER']

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

http://us3.php.net/manual/en/reserve...riables.server

**Ultima Designs** · 03-13-2006, 06:08 PM

One other question - can you spoof the referring website (could you make it appear to be something it is not)?

**yasunobu13** · 03-13-2006, 06:10 PM

Originally Posted by Ultima Designs

One other question - can you spoof the referring website (could you make it appear to be something it is not)?

yes.

You could keep a session variable that's known only to your code. Still not perfect, but pretty OK.

**Ultima Designs** · 03-13-2006, 06:26 PM

Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature.

So, there's a chance that someone will have no setting for this, and as a result will not be premitted to access the website?

**yasunobu13** · 03-13-2006, 06:38 PM

Originally Posted by Ultima Designs

So, there's a chance that someone will have no setting for this, and as a result will not be premitted to access the website?

If you require an HTTP_REFERER before accessing the web page, then they won't be able to access the web page. If you check that the HTTP_REFERER is your web page or empty, before accessing the web page, you should be better off.

**Ultima Designs** · 03-13-2006, 06:42 PM

Haha, good call. That idea completely slipped my mind. That should take care of the issue, much thanks!

**Markp.com** · 03-13-2006, 08:29 PM

Moved to the correct forum.

Thread: [RESOLVED] Protecting from Malicious Posts

Thread Tools

Display

[RESOLVED] Protecting from Malicious Posts

Posting Permissions