How to prevent form input from another website sending vars to mine?

[thenext88]

Is there any way to prevent form input from another website sending variables to yours.

I'm creating a registration form, and it has a JavaScript validation, because there are rules for certain fields. The form passes the variables to another page, and the variables are checked again by PHP script, to eliminate any SQL injectinos vulnerabilities, and just to make sure the rules for certain fields are followed.

For a final line of security, is there anyway to input some type of code, so that it checks the previous page, and if the previous page is not the specified page... return an error? I thought about using session variables to save the last page viewed on my website, but that wouldn't stop someone from trying to send input from another website, as they could just load up my form, have the last page session variable get saved, and then submit variables through their own from.

I would just like to know if this a possible, just in case I accidentally miss initial security by filtering variables sent. So if anyone knows, please let me know!

 

[nasaboy007]

if you already check the vars in your php code, there isn't really a need to check what form theyre being submitted from. however, the only way that i coudl think of to check the form would be in php to check the referrer $_SERVER['HTTP_REFERRER']. only problem is that can be spoofed, but it's better than nothing if you really want that.

 

[baxter]

What you'd want to do is to generate a form password on form load. For instance:

$pass = md5(time());

Add this value into your session or some other type of storage system.

then add that value to the form as a hidden element:

<input type='hidden' value='<?= $pass ?>' name='formPass' />

Lastly on submit check to make sure the form pass is present and matches the session pass.

Cheers,

Jay

 

[nasaboy007]

hidden inputs are not secure because they're cleartext so people can just copy/paste and put them in their own form (and since people can spoof session vars too, it wouldn't be hard to set both session and hidden input to the same thing that u generated once).

whatever you do, the user (if desired) would be able to get both the hidden input and the session var and just set it to be the same from their own form if they really wanted to.

 

[thenext88]

It seems like filtering the variables is the only thing in the end that is secure. It seems like I could setup a few things, just as discouragement. For example if someone tried to copy and paste the form, but failed the session variable. So the session variable requirement is figured out, but now the server referred fails. That gets figured out, and some else fails, which gets figured out... in the end time is wasted, so long as my variables are filtered and secured.

I'll use them just because of ease to setup. One required file included on every page that form variables are passed to.

 

[baxter]

@nasaboy007: do you have any links to session spoofing, from my experience a session cookie can be tampered with to try and spoof another user but since session information is stored locally on the server the session variables aren't able to be "spoofed" or modified in any form.

 

[thenext88]

Wouldn't storing some kind of md5 code in the cookie, which would match in the specific user's database eliminate a cookie spoof? (Just asking because my registration system is pretty much done, next is to assign to cookies so users can be remembered).

About spoofing a session...

Open up my login form on my page where the random session variable is created. Session variable gets saved. Then submit through a different page in a different tab. My PHP script on the following page should see that random session variable. I've never tested but that's what I believe would happen. Now say that session variable was stored in the form as well. Copy and paste the form after my page has loaded, and use that.

Either way I think I'm pretty safe right now. Right now I've got:

1) Javascript validator on the form page itself, which has maximum input lengths, does not allow symbols except for email.
2) PHP filters which revalidates the maximum length, removes symbols except by email, and pretty much anything that goes into a MySQL query is real escaped.

I may implement these other things as well, just as more obstacles.

I'm just trying to make the most secure registration and login system that I can right now, that way when I develop more sites later on, I will already have a system in place and will not have to do this from scratch like I am right now.

 

[Eric]

if you already check the vars in your php code, there isn't really a need to check what form theyre being submitted from. however, the only way that i coudl think of to check the form would be in php to check the referrer $_SERVER['HTTP_REFERRER']. only problem is that can be spoofed, but it's better than nothing if you really want that.

> Is there any way to prevent form input from another website sending variables to yours.

Keeping in mind the above...

if ($_SERVER['REQUEST_METHOD'] == 'POST') // or possibly,  count($_POST) > 0
{
	$host = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);

	if ($host AND $_SERVER['HTTP_REFERER'])
	{
		$refparts = @parse_url($_SERVER['HTTP_REFERER']);
		$refhost  = $refparts['host'] . ((int)$refparts['port'] ? ':' . (int)$refparts['port'] : '');

		if (strpos($refhost, $host) === false)
		{
			die('POST requests are not permitted from "foreign" domains.');
		}
	}
}

 

[thenext88]

Haven't had a chance to try it, but rep for that! Works very easily when all I need to do is stick that on my index.php

 

[Mark]

In the "OLD" Days , We'd use something like this :

http://javascript.internet.com/user-details/must-visit-from.html