1

I have a contact form in my website and the name of page is (contactus.php) that after filling and hitting goes to PHP file (contact.php). Both are in same server mean under same domain. Now someone is filling my contact form outside from my (contactus.php) page from that I am receiving so many spam. Now after searching, I got him and also got his code. He is using something below code.

<form name="myform" id="myform" method="post" action="http://www.mydomain.com/contact.php">
<input type="text" ...
<input type="email" ...
<textarea type="text" ...
<input type="submit" ...
</form>

Now is there any way to make my (contact.php) limited to only get input data from my domain mean page like (contactus.php)?

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
Muhammad Hassan
  • 1,224
  • 5
  • 31
  • 51
  • Forms are meant to work exactly like links - would you ask a question like "how can I stop people from linking to my site from external domain"? – fdreger May 10 '14 at 21:42
  • @AmalMurali I want unlimited hit from my domain but not other... – Muhammad Hassan May 11 '14 at 15:42
  • @fdreger I am only asking about to stop hitting one file from outside my domain. Rest is ok. – Muhammad Hassan May 11 '14 at 15:43
  • @MuhammadHassan: You are only asking, and I am only answering: forms are like links. Can you make a page that cannot be targeted by a link? "from outside domain"? – fdreger May 11 '14 at 21:23
  • @fdreger I Didn't Get You. In short, I can't edit my HTML contact form. I just can add some extra codes on my `contactus.php` page header and `contact.php` header. Not the rest of coding. I am thinking about to add something hidden password on `contactus.php` page that after hitting, first checked by `contact.php` and after matching that, run the rest coding. Is this possible? – Muhammad Hassan May 12 '14 at 04:20
  • @MuhammadHassan: yes, adding code (anywhere you want) is certainly possible. But it is impossible to block anyone "from outside my domain" from posting to the page, because requests - simply speaking - are not bound to any domain at all. You are trying to come up with a solution before you understand the problem, and this not smart. – fdreger May 12 '14 at 17:47
  • @fdreger Ok. Thanks for your comment. I am looking to make any meaningful solution to this problem and after getting this, I will share that here too. – Muhammad Hassan May 14 '14 at 01:21

1 Answers1

1

This can be mitigated similar to how you would protect yourself agains a Cross-Site Request Forgery (CSRF or XSRF) attack.

This should get you started on the basics:
http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/

If you're using any kind of well-established framework, there should be a safeguarding mechanism built in.

Ayman Safadi
  • 11,502
  • 1
  • 27
  • 41
  • This is not CSRF. CSRF is about unintentional requests while spam is pretty intentional. – Gumbo May 10 '14 at 15:38
  • @Gumbo, I respectfully disagree; this is very much CSRF. The requester's intentions are irrelevant, it's the site's owner who defines whether a request is wanted or not. Any external POST request should be considered *unintentional* (as in the site own did not intend his form to be used this way) and should be protected against. OWASP defines CSRF as, *"CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated."* – Ayman Safadi May 10 '14 at 16:45
  • How can the requesters intention be irrelevant in CSRF? That’s the only aspect that *is* relevant for declaring a flaw as CSRF. The [CWE’s definition of CSRF](http://cwe.mitre.org/data/definitions/352.html) is: “The web application does not, or can not, sufficiently verify *whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request*.” Spammers intentionally send spam requests, so it’s definitely not CSRF as per definition. Techniques to protect against CSRF may also help to mitigate spam, but this is definitely not CSRF. – Gumbo May 10 '14 at 16:56
  • Ah... now I see the difference. Thanks! @Gumbo, so is "cross-site posting" a thing? I know it has legitimate uses, but in this case, would it be officially considered an "attack". If so, does this kind of attack have a name (I made up *cross-site posting*)? – Ayman Safadi May 10 '14 at 21:34
  • @AymanSafadi In short, I cant edit my HTML contact form. I just can add some extra codes on my `contactus.php` page header and `contact.php` header. Not the rest of coding. I am thinking about to add something hidden password on `contactus.php` page that after hitting, first checked by `contact.php` and after matching that, run the rest coding. Is this possible? – Muhammad Hassan May 11 '14 at 15:47