-
Domo Arigato!
[RESOLVED] Protecting from Malicious Posts
Hey guys,
I mentioned in here one or two times that we are working on a big project at the moment. We are trying to think of security concerns, and one of them that we have come up with is this: we don't want people to be able to recreate our forms on another website and then post the data to our website. This way, we can hopefully prevent people from registering spam accounts, for example.
Is there any way to prevent this from happening? Maybe some way to check the referring page, and if it isn't from our domain name but has data being posted, to redirect them to a failure page or something? The website is done with PHP.
-
No!
$_SERVER['HTTP_REFERER']
The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
http://us3.php.net/manual/en/reserve...riables.server
-
Domo Arigato!
One other question - can you spoof the referring website (could you make it appear to be something it is not)?
-
No!
Originally Posted by Ultima Designs
One other question - can you spoof the referring website (could you make it appear to be something it is not)?
yes.
You could keep a session variable that's known only to your code. Still not perfect, but pretty OK.
-
Domo Arigato!
Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature.
So, there's a chance that someone will have no setting for this, and as a result will not be premitted to access the website?
-
No!
Originally Posted by Ultima Designs
So, there's a chance that someone will have no setting for this, and as a result will not be premitted to access the website?
If you require an HTTP_REFERER before accessing the web page, then they won't be able to access the web page. If you check that the HTTP_REFERER is your web page or empty, before accessing the web page, you should be better off.
-
Domo Arigato!
Haha, good call. That idea completely slipped my mind. That should take care of the issue, much thanks!
-
Phantom Flasher...
Moved to the correct forum.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|