Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Get Form Name?

  1. #1
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts

    Get Form Name?

    How do I get the name of a Form being submitted using $_POST?

    I am trying to add code to protect against CSRF, but in the examples I have seen, they are just assigning the Form's token to a generic $_SESSION variable like this...

    PHP Code:
    $_SESSION['token'] = $token
    If a person had more than one Form open, then you'd have a collision as far as I can see?!

    Yesterday I found a tutorial that prepended the Form's name to Token Name, but I can't find that article today.

    Hope you follow my question?!

    Sincerely,


    Debbie

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    You don't. A form itself isn't considered a successful field; you'd need to create a separate entry for it. Pass whatever you need as hidden.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,899
    Thanks
    15
    Thanked 226 Times in 226 Posts
    Quote Originally Posted by Fou-Lu View Post
    You don't. A form itself isn't considered a successful field; you'd need to create a separate entry for it. Pass whatever you need as hidden.
    This is exactly what to do. Make a hidden input and use its name as the basis for the isset statement to personalize the form. I have pages with four forms and it works every time.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #4
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by DrDOS View Post
    This is exactly what to do. Make a hidden input and use its name as the basis for the isset statement to personalize the form. I have pages with four forms and it works every time.
    Isn't there a cleaner way?

    (I'm going crazy that I can't find this tutorial from yesterday. He did something much more streamlined to prepend the Form's name to the token.)


    Debbie

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Noppers.
    I'm not really "up with" (or whatever the kids call it nowadays ) the HTML standards, but the form itself is a control container. The form in itself is *not* a control, so therefore it will not pass this data to the server.
    The only reason to name your form would be if you use multiple forms. But in by doing so, the only reliable way to submit it is by clicking the submit button with your mouse (or using accessibility and highlighting the button with tab to submit). You should reliably be able to use the submit name to determine which form was submitted; the IE bug (and yes, it is a bug the standard specifies that *all* successful fields are to be submitted always) to the best of my knowledge applies only with implicit enter.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #6
    Senior Coder
    Join Date
    Sep 2010
    Posts
    1,899
    Thanks
    15
    Thanked 226 Times in 226 Posts
    Quote Originally Posted by doubledee View Post
    Isn't there a cleaner way?

    (I'm going crazy that I can't find this tutorial from yesterday. He did something much more streamlined to prepend the Form's name to the token.)


    Debbie
    There may be, but hidden inputs have other uses too, you can use javascript to set the value depending on what the user is doing on the page.
    Welcome to http://www.myphotowizard.net

    where you can edit images, make a photo calendar, add text to images, and do much more.


    When you know what you're doing it's called Engineering, when you don't know, it's called Research and Development. And you can always charge more for Research and Development.

  • #7
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    I'm stuck on this CSRF thing and could use some help.

    Here is a stripped down version of my "create_member.php" script...

    PHP Code:
    <?php
        
    // Set Form Token.
        
    if (!isset($_SESSION['token'])){
            
    $_SESSION['token'] = 1234;   //For testing only
        
    }


        if (
    $_SERVER['REQUEST_METHOD']=='POST'){
            
    // Form was Submitted (Post).

            // CSRF Check.
            
    if ($_POST['token'] !== $_SESSION['token']) {
                
    // Invalid Form.
                // Throw Error.

            
    }else{
                
    // Valid Form.
                // Validate Form Data
                // Process Form
            
    }

        }else{
            
    // Form was not Submitted (Get).
            // Drop through to display Form.

        
    }//End of HANDLE FORM
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">

    <head>
        <title>Create an Account</title>
    </head>

    <body>
        <!-- CREATE ACCOUNT FORM -->
        <form id="createAccount" name="createAccount" action="" method="post">
            <fieldset>
                <!-- Form --><!-- NEW -->
                <input type="hidden" name="token" value="<?php echo 'BOGUS';  //$_SESSION['token']; ?>" />

                <!-- First Name -->
                <label for="firstName"><b>*</b>First Name:</label>
                <input id="firstName" name="firstName" type="text" maxlength="30"     value="<?php echo (isset($firstName) ? str2htmlentities($firstName) : ''); ?>" /><!-- Sticky Field -->

                <!-- And so on... -->

    I have this set up to fail currently, and it does.

    What I could use some help with is coming up with a better way to define the $_SESSION variable.

    I plan on using this approach for *every* Form, and that creates a problem because every Form will be referencing $_SESSION['token'].



    I was going to erase $_SESSION['token'] after I confirm the Form is from my user, but what happens if the Form has data-entry errors and needs to be resubmitted?

    Also, I am afraid of a collision if, say, a person creates and account (Form 1) and then and tries to log in (Form 2).

    It doesn't seems like a great design to always be using one variable like this.

    I dunno. It is late on Friday, I am tired, and my brain is fried!

    Could use some help here.

    Thanks,


    Debbie
    Last edited by doubledee; 10-04-2013 at 10:13 PM.

  • #8
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    I think I figured out what to do...

    If I place this code AFTER my Form validation, then I don't have to worry about the Form being resubmitted due to data entry errors, and so it is okay to re-set the form_token...

    PHP Code:
        // Clear Form Token.
        
    unset($_SESSION['form_token']); 

    A lot of the examples I have seen online have a "Time Limit", but I'm not really sure how important that is?

    Any thoughts?

    Sincerely,


    Debbie

  • #9
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    I set my "time limit" to that of session expiry. I have no problem with that; I let the user take the time they want. The only downside is that if they exceed the time, than they will need to submit again, but that's not too big of a deal; only the password data needs to be re-entered.

    Note though that a form must be completed at a time (with how I do it; this was a decision I decided to make). I share the same token identification between the forms, so if one tab has a form, and they open another form on a different tab, the first one will be nullified.

    Token handling's primary goal is flood control and not security. Without it, a user can simply hold the enter button, and depending on the code it could spawn hundreds or thousands of submissions. It also requires a bot to read the page first as well as storing cookies (or possibly querystring data), which doesn't eliminate, but does cut down on the amount of general spam.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #10
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    Token handling's primary goal is flood control and not security. Without it, a user can simply hold the enter button, and depending on the code it could spawn hundreds or thousands of submissions. It also requires a bot to read the page first as well as storing cookies (or possibly querystring data), which doesn't eliminate, but does cut down on the amount of general spam.
    I don't see how the sample code I posted above would prevent someone from submitting a form again and again.

    I implemented it to prevent against CSRF attacks where a hackers sends me their form.

    As far as double submissions, all of my forms get routed to an "outcome page", so that should prevent that issue.

    Sincerely,


    Debbie

    P.S. Do you log *every* action that a user takes?? For example, pages visited, forms submitted, # of times form submitted, log n attempts, etc?

    If so, how do you manage all of that complexity?

  • #11
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    By consuming a token, you no longer match said token, so it prevents flooding.
    It doesn't prevent me from submitting to your form. It just means I need to take an additional step to do so. Most spam "bots" won't bother though.

    I have auditing capabilities. I add auditing to commands and link the auditing to either a Principal (either a user or a group) and whether it was a successful or fail. I don't audit things like visits or submissions as that's just an unnecessary burden (it doesn't really matter what pages were viewed or how many times a form has been submitted). Although I do have flood control in place which will also detect number of attempted submissions in x time frame, which I suppose I could potentially audit. Same would go for login attempts I suppose; the only differences between these is I would need to hook an event intercept in there to do the counting (I don't care if it took three times to get in, I care if it take 10 times to get in).
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #12
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    By consuming a token, you no longer match said token, so it prevents flooding.

    It doesn't prevent me from submitting to your form. It just means I need to take an additional step to do so. Most spam "bots" won't bother though.

    Then you have things coded differently than I do above.

    My code above assigns a "form_token" to $_SESSION['form_token'] and then assigns that to a hidden field in my Form.

    Whenever the Form is submitted, the $_POST['form_token'] must always match $_SESSION['form_token'] otherwise it isn't my Form.

    But if a user wanted to submit the Form 100 times, my code wouldn't stop them as long as the "form_tokens" always match.


    Debbie

  • #13
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    Not when you unset it it doesn't, and you should be doing that whenever a form is successfully submitted. You then receive a token which has no match which therefore fails the submission.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #14
    Regular Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    939
    Thanks
    21
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu View Post
    Not when you unset it it doesn't, and you should be doing that whenever a form is successfully submitted. You then receive a token which has no match which therefore fails the submission.
    Unless you post an explanation with some code, I'm not following you.

    I used this article to get ideas for the code I posted in my OP above...

    http://shiflett.org/articles/cross-s...uest-forgeries

    Sincerely,


    Debbie

  • #15
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,980
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    PHP Code:
    $_SESSION['token'] = sha1(time());
    ?>
    <form method="post" action="script.php">
        <input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>"/>
        ...
        <input type="submit"/>
    </form>
    PHP Code:
    <?php
    session_start
    ();

    if (isset(
    $_SESSION['token'], $_POST['token']) && strcmp($_SESSION['token'], $_POST['token']) == 0)
    {
        
    // validate the rest
        
    if ($valid)
        {
            unset(
    $_SESSION['token']);
        }
    }
    else
    {
        die(
    'Access token invalid.');
    }
    Simple as that. If you hold enter on the form, than it will submit the same token over and over, which has already been consumed and is no longer valid.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •