PHP preventing to post data from other page

Asked Jun 04 '15 at 12:35

Active Jun 04 '15 at 12:58

Viewed 141 times

I'm testing my programming skills, and came to a question. How can I prevent bad people to use a form to submit data to my site. For example I have a form where the user can change their password. Now if somebody copy the same code and uploads it to their site, but point it to my processor file, it will change the data in my tables.

I'm aware of the "Captcha", but it is a pain in the...

The second method I thought of is creating a random hash from random things and then putting it into the form and into _SESSION, and then on the next page I verify that $_POST['hash'] == $_SESSION['hash'], but can they submit data in _SESSION too? Like setting the form input 'hash' = "hash", and setting $_SESSION['hash'] = "hash".

So the question is given. Thank you if you help me.

edited Jun 04 '15 at 12:58

Ash

3,242
2
23
35

asked Jun 04 '15 at 12:35

ilo

2

Captcha is not used for CSRF only. Read the below link to understand this better. http://stackoverflow.com/questions/1780687/preventing-csrf-in-php – Adon Jun 04 '15 at 12:39
1

@splash58 there are some free services, but they're mostly a paid option. – Funk Forty Niner Jun 04 '15 at 12:39
4

The second method defined a CSRF token, which is indeed what you're after. – Jonnix Jun 04 '15 at 12:40
1

See the Q&A's here http://stackoverflow.com/q/24435456/ you may find something useful in there too. It's a sort of "referer" type of solution. – Funk Forty Niner Jun 04 '15 at 12:51
1

CSRF is the way to go. – Blaatpraat Jun 04 '15 at 12:52
1

make you session secure & use CSRF token, captcha like google recaptcha would be a bonus – Dimag Kharab Jun 04 '15 at 12:58
if your form is private (of course, change password), you can just simply check if user is logged in, and if some one use the same form and post it to your processor file, it would be denied in user check. – kamal pal Jun 04 '15 at 13:05

PHP preventing to post data from other page

0 Answers0