Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    Regular Coder Element's Avatar
    Join Date
    Jul 2004
    Location
    Lynnwood, Washington, US
    Posts
    855
    Thanks
    2
    Thanked 2 Times in 2 Posts

    FUNCTION: Validate Form Submissions

    This function will allow you to validate whether the submission is coming from your site, and if it has code in the $_POST fields (optional)

    PHP Code:
    <?php   

    // By Jordan S. C. Thompson
    // Some help by Velox Letum

    // This script will check to make sure the submission
    // is coming from your site, and that no code is
    // found in the post fields.


    function validateFormSubmission($noCodeCheck FALSE)   {
      if(isset(
    $_POST)) {
        
    $runningScriptOn "http://".$_SERVER['HTTP_HOST']."/";
        
    $referParts parse_url($_SERVER['HTTP_REFERER']);
        if(empty(
    $referParts['scheme'])) {
            
    $scheme "http://";
        } else {
            
    $scheme $referParts['scheme'];
        }
        
    $host $referParts['host'];
        
    $referRunningOn $scheme $host;
        if(
    $referRunningOn !== $runningScriptOn) {
          
    $die 1;
        }
        if(
    $noCodeCheck == FALSE) {
          foreach(
    $_POST as $key => $val) {
            if(
    strlen($val) != strlen(strip_tags($val)){
              
    $die++;
            }
          }   
        }
        if(
    $die == 1) {
            die(
    "There was a problem with the form submission.");
        } elseif(
    $die == 2) {
            die(
    "There was more the one problem with the form submission.");
        } else {
            return 
    true;
        }
      } else {
          return 
    true;
      }
    }

    ?>
    Here is an example of using it:

    PHP Code:
    <?php
    // This is at the top of my doument, under where you would include or place the function.

    // Example one, check refer and for code
    validateFormSubmission();

    // Example two, check refer, but don't check for code
    validateFormSubmission(TRUE);

    ?>
    If you want to use this else where in the file, and don't want it to die and kill your template then replace:

    PHP Code:
    // Original Code
        
    if($die == 1) {
            die(
    "There was a problem with the form submission.");
        } elseif(
    $die == 2) {
            die(
    "There was more the one problem with the form submission.");
        } else { 
    With:

    PHP Code:
    // Replacement Code
        
    if(isset($die)) {
            return 
    false;
        } else { 
    I hope this is usefull.
    Last edited by Element; 12-28-2005 at 03:37 AM.

  • #2
    New Coder
    Join Date
    Sep 2005
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If I understand your code you compare $_SERVER['HTTP_HOST'] with $_SERVER['HTTP_REFERER']. But since both data can not be trusted (1,2,3), how can you be sure the function is doing what it is supposed to be doing? In other words, if both can be spoofed, you never know if the form did come from your site?

    (1) shiflett.org
    (2) Php architects guide to php security, Ilia Alshanetsky
    (3) http://www-128.ibm.com/developerwork...81&entry=75480

  • #3
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    You can't. I have a little program which can fake the referer so it'll always be the address I'm accessing a page from...
    BTW the if(isset($_POST)) is not needed as $_POST is always set.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #4
    New Coder
    Join Date
    Sep 2005
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So I'm correct in saying the script doesn't work as intended.
    Probably a good point to consider is the question why you would want to make sure the form submission is coming from your site. I remember reading in Shiflett's book that in his opinion it really doesn't matter were the form submission is coming from: one needs a good input filtering anyway.

  • #5
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    You can check if a request came form your site with sessions
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #6
    Regular Coder Element's Avatar
    Join Date
    Jul 2004
    Location
    Lynnwood, Washington, US
    Posts
    855
    Thanks
    2
    Thanked 2 Times in 2 Posts
    *Shrugs* Its just code, if you need to shoot someone, shoot yourself. Because I don't care.

    The method has been around for a long time and is a basic way. If someone can foool referers, an such they can do much more that you can't stop anyway without getting complicating and blogging down scripts.

  • #7
    New Coder
    Join Date
    Sep 2005
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    *Shrugs* Its just code, if you need to shoot someone, shoot yourself. Because I don't care.
    I'm not sure I understand what you mean here (ah, how difficult is it to communicate in a few lines of text..) but I hope you understand I'm not attacking you in any way. I just try to learn myself. When I saw the code and remembered reading about the faking of the SERVER variables I posted my question to invoke a little discussion.

    What other ways would you suggest to use if one really wants to be sure the request came from your site? Sessions as marek_mar suggests?

    (as I said before the best strategy is to never trust any input, wether it's coming from your site or somewere else. But I can imagine that in some cases checking if the form came from the same site can be used as a defense in depth measure. And in that case you could/might want to try to do that the best you can)

  • #8
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by matthijs
    What other ways would you suggest to use if one really wants to be sure the request came from your site? Sessions as marek_mar suggests?
    the request never comes from your site. the request always comes from the browser.
    a form is actually nothing more then a way to allow the browser to compose the POST or GET collection and then include it inside the request. in fact, it doesn't even need to be a browser. any server can parse your response that contains the form, and build a POST-collection and send that back to your server.
    Or a server can parse the form, build another form from it, send that form to a user who displays it in his browser and posts it to your server. or who first posts it to the go-between server which builds the POST-collection that is sent to your server.

    basicaly, there is no way on earth that you can verify if the POST-collection was generated with the form you sent in your response.

    but the good news is that it doesn't matter how the client composed the POST-collection. the only thing that matters is if the client included valid values or not, and it's quite easy to check that.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #9
    New Coder
    Join Date
    Sep 2005
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You are absolutely correct.
    but the good news is that it doesn't matter how the client composed the POST-collection. the only thing that matters is if the client included valid values or not, and it's quite easy to check that.
    Indeed, never trusting any input and validating the input well is the best (and only) thing you should do. Whether it's easy? I don't know. For beginners those regexes can look pretty scary.

    But about the purpose of the original script in this thread: I did read a method in the security guide of http://phpsec.org with which it should/supposedly be possible to make sure the form was posted from the site itself. That method uses random tokens and sessions to store them. But anyone interested should read the guide, as I can't explain the details.Cross site request forgeries

  • #10
    Senior Coder
    Join Date
    Sep 2005
    Posts
    1,791
    Thanks
    5
    Thanked 36 Times in 35 Posts
    The Zend framework includes an input filter:
    http://framework.zend.com/manual/zend.inputfilter.html

  • #11
    New Coder
    Join Date
    Sep 2005
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, the zend framework and the way it can be used to foolproof and validate input looks promising. Just finished coding a couple of forms, not even that complicated. But even though I use a standard validation class, typing it all out is still too much work. Hopefully a framework like Zend's will make it all a lot easier (also easier to make less mistakes!)

  • #12
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by raf
    the request never comes from your site.
    It can come from your site. It is useless in most cases though.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •