Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 11 of 11
  1. #1
    New Coder
    Join Date
    May 2008
    Posts
    70
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Deny another page's access

    Hi, i wonder if it is possible to deny another page's access? Let's say i have a update function. My script is written in update.php, there is some hidden input value i have added using the <input type="hidden" value="value"> function. Then it will be submitted to update2.php.

    If someone view source in my update page, they will know the hidden value and if they replicate my form (with all the input and change the value) and then use the action="www.my.com/site/update2.php". Then they can alter the value that is supposed to be right?

    Is there a code that allows only post data from a certain site? Like it only accept data from www.my.com/site/update.php but not any other site like www.your.com/site/hack.php ?

  • #2
    Regular Coder
    Join Date
    May 2008
    Location
    Ohio
    Posts
    231
    Thanks
    3
    Thanked 21 Times in 21 Posts
    http://codingforums.com/showthread.p...545#post691545

    You could check $HTTP_SERVER_VARS['HTTP_REFERER'] in the code that will receive the form.

  • Users who have thanked derzok for this post:

    crays (05-23-2008)

  • #3
    New Coder
    Join Date
    May 2008
    Posts
    70
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Thanks, useful!~

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    $HTTP_*_VARS are deprecated; use $_SERVER/$_POST/$_GET/$_SESSION/$_COOKIE instead. Also, the referer is supplied by the user, so it can't be fully trusted.

  • #5
    Regular Coder
    Join Date
    May 2008
    Location
    Ohio
    Posts
    231
    Thanks
    3
    Thanked 21 Times in 21 Posts
    How about a hash function? Base it off of something that changes (like the time minus the last digit) so that the key will only be valid for 10 seconds or so. That way they can never fake a session unless they: A) grab a working key within 10 seconds of the form being submit, B) figure out your hash function and implement it themselves to give them working hashes.

    It's not fool proof, but it'll stop most people. Who exactly are you looking to stop? Human users or bots?

  • #6
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts
    You could try something like this:

    update.php:

    Add

    PHP Code:
    $_SESSION['FORMID']='myformname'
    update2.php

    Add an if statement to check the session variable:

    PHP Code:
    if ($_SESSION['FORMID']=='myformname'){ //process} else {//don't process} 
    Last edited by logictrap; 05-23-2008 at 08:01 PM. Reason: fix typos

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]

  • #7
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    Don't forget to session_start() at the beginning of the script.

  • #8
    New Coder
    Join Date
    May 2008
    Posts
    70
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Thanks for the reply. But if i uses the session function, can't someone copy it out too? And i'm trying to prevent human users from exploiting using the same form from another site and link it to my update2.php.

    and i don't really get how should i use a session function in this case. Any explanation? I just need to make sure that in update2.php the information submitted to it MUST be from update.php (both from my site of course)

  • #9
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    Quote Originally Posted by crays
    But if i uses the session function, can't someone copy it out too?
    No, the session variables are stored on the server. The only thing that is sent to the user is a single identifier cookie that's unique to each user. It can't really be shared because the session manager checks the user's IP while validating the cookie, and the session would expire anyway.

  • #10
    New Coder
    Join Date
    May 2008
    Posts
    70
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Thanks for the reply. But i don't really know how i should use the session function in my case tho, which is i just need to make sure that in update2.php the information submitted to it MUST be from update.php (both from my site of course)

  • #11
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts
    Sessions variables allow you to share data between pages on the same site (and only the same site) without using get or post and they are not visible in the source code of your page like a form fields. Because of this a form on another system cannot pass a session type variable to pages on your site.

    The use of them is not much more complicated than using a regular variable. I suggest you google something like 'php session tutorial' to get a more lengthy explanation.

    I don't think there is a 100&#37; fool proof method. If the session method is not strong enough you might need to add a captcha field (one of those quirky images that contains some data you have to enter into a confirmation field).

    If that's still not enough then you probably need to have the users login before they access the forms.
    Last edited by logictrap; 05-24-2008 at 04:50 PM. Reason: fix typos

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •