How to determine where _POST data is from?

androoj

Howdy folks...new registrant here. I've used PHP casually for a couple years, but not extensively. I'm working on a simple feedback page for a site that sends mail through a form. PHP will be used to send the mail based on data posted to it from the previous page.

The question is can I tell where the _POST data came from somehow? What's to prevent someone from figuring out variable names and POSTing from a page they wrote themselves? I'm hoping there's a way to stop processing if it's not posted from the place I specify.

Thanks in advance,

Andy

laserlight

You can check $_SERVER['HTTP_REFERER'], but that can be spoofed.

I suggest that you just validate all incoming data.

androoj

Thanks for the input...I just thought maybe PHP might more "aware" of where stuff was coming from. I don't think it will be a problem as people won't pick the destination email address, I just wanted to look into this before a problem could potentially arise.

TF_TheMoon

Create a function that creates a hash of a string which you can then put into your form as a hidden var, then check that the return of the function agaisnt the $_POST of it. so something like.

[phpcode]
function getSessionHash($tag = false) {
global $WS, $_SERVER;

if (!$tag) $tag = $_SERVER['PHP_SELF'];
$label = $tag . getRemoteIP() . @$WS->SessID;
return base_convert(md5($label), 16, 36);

}
[/phpcode]

In this case $WS is a session class, not the normal PHP session one but one we use here, use yuo get the idea. also getRemoteIP() is a function we have to get the IP address as a string of proxy:ip

MarkR

USers will always be able to make unauthorised modifications to posted fields.

Although you can prevent CSRF using the method suggested above by TF@TheMoon, you can't prevent deliberate POST modifications that way.

You MUST validate EVERYTHING. There is no substitute. Posted data comes in via the browser, which can easily be subverted to post different values from the ones you intended. Specifically, the "Web Developer" extension for Firefox allows modification of hidden fields etc.

Mark